IBM Tivoli Directory Server 6.1_Installation and Configuration Guide

7/28/2019 IBM Tivoli Directory Server 6.1_Installation and Configuration Guide

http://slidepdf.com/reader/full/ibm-tivoli-directory-server-61installation-and-configuration-guide 1/224



IBM Tivoli Directory Server

Installation and Configuration Guide

Version 6.1

GC32-1560-00



NoteBefore using this information and the product it supports, read the general information under Appendix S, “Notices,” onpage 201.

This edition applies to version 6, release 1, of IBM Tivoli Directory Server and to all subsequent releases andmodifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 1998, 2007. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.



Contents

About this book . . . . . . . . . . . viiIntended audience for this book . . . . . . . vii

Publications . . . . . . . . . . . . . . viiIBM Tivoli Directory Server version 6.1 library viiRelated publications . . . . . . . . . . viiiAccessing terminology online . . . . . . . viiiAccessing publications online . . . . . . . viiiOrdering publications . . . . . . . . . . ix

Accessibility . . . . . . . . . . . . . . ixTivoli technical training . . . . . . . . . . ixSupport information . . . . . . . . . . . ixConventions used in this book . . . . . . . . x

Typeface conventions . . . . . . . . . . xOperating system-dependent variables and paths x

Chapter 1. Quick installation path for a

server . . . . . . . . . . . . . . . 1

Chapter 2. Installation, instancecreation, configuration, and migrationoverview . . . . . . . . . . . . . . 3Before you begin: .zip, .tar, and .iso files . . . . . 3Upgrading from a previous release . . . . . . . 3Installation . . . . . . . . . . . . . . . 4

Client. . . . . . . . . . . . . . . . 4 Java client . . . . . . . . . . . . . . 4Server . . . . . . . . . . . . . . . 4Web Administration Tool . . . . . . . . . 5Embedded WebSphere Application Server . . . 5

DB2 . . . . . . . . . . . . . . . . 6Global Security Kit (GSKit) . . . . . . . . 6IBM Tivoli Directory Integrator . . . . . . . 6

Instance creation and database configuration . . . 7Database configuration and server setup . . . . . 8

Chapter 3. Upgrading from previousreleases . . . . . . . . . . . . . . 11About the client . . . . . . . . . . . . . 11Before you upgrade. . . . . . . . . . . . 11Upgrading using the command line and operatingsystem utilities . . . . . . . . . . . . . 13Migrating the Web Administration Tool and

upgrading Embedded WebSphere ApplicationServer . . . . . . . . . . . . . . . . 15Migrating Embedded WebSphere ApplicationServer and the Web Administration Tool. . . . 15

Chapter 4. Installing language packsusing the InstallShield GUI . . . . . . 17

Chapter 5. Considerations before youinstall on AIX, Linux, Solaris, andHP-UX systems . . . . . . . . . . . 21

Mounting and unmounting the CD duringinstallation . . . . . . . . . . . . . . 21

Mounting and unmounting the CD on Solaris 9systems. . . . . . . . . . . . . . . 21Mounting and unmounting the CD on HP-UXsystems. . . . . . . . . . . . . . . 21

The idsldap user and group . . . . . . . . . 22Installation path on AIX, Linux, Solaris, and HP-UXplatforms . . . . . . . . . . . . . . . 24Using commands to set and remove links . . . . 24

Chapter 6. Installing IBM TivoliDirectory Server using the InstallShieldGUI . . . . . . . . . . . . . . . . 25Before you install . . . . . . . . . . . . 25Installing IBM Tivoli Directory Server on a Windowssystem . . . . . . . . . . . . . . . . 26

Installing with the Typical installation path onWindows systems . . . . . . . . . . . 27Installing with the Custom installation path onWindows systems . . . . . . . . . . . 30

Installing IBM Tivoli Directory Server on an AIX,Linux, Solaris, or HP-UX system . . . . . . . 34

Installing with the Typical installation path onAIX, Linux, Solaris, and HP-UX systems. . . . 35Installing with the Custom installation path onAIX, Linux, Solaris, and HP-UX systems. . . . 37

Using the InstallShield GUI to install and upgradeto Tivoli Directory Server 6.1 . . . . . . . . 41

After you install using the InstallShield GUI . . . 47

Chapter 7. Installing IBM TivoliDirectory Server using AIX utilities . . 49Before installing on a node within an RS/6000 SPenvironment . . . . . . . . . . . . . . 50Packages, filesets, and prerequisites . . . . . . 50SMIT installation . . . . . . . . . . . . 53Command line installation using installp . . . . 56Installing GSKit . . . . . . . . . . . . . 59

Setting system variables for GSKit . . . . . . 59Removing GSKit. . . . . . . . . . . . 60

Chapter 8. Installing IBM TivoliDirectory Server using Linux utilities. . 61Installing IBM Tivoli Directory Server . . . . . 61

Packages . . . . . . . . . . . . . . 61Installing features . . . . . . . . . . . 63

Installing GSKit . . . . . . . . . . . . . 65Removing GSKit. . . . . . . . . . . . 66

Chapter 9. Installing IBM TivoliDirectory Server using Solaris utilities . 67Before you install . . . . . . . . . . . . 67Installing IBM Tivoli Directory Server . . . . . 67

© Copyright IBM Corp. 1998, 2007 iii



Package dependencies . . . . . . . . . . 67Command line installation using pkgadd . . . 69


Chapter 10. Installing IBM TivoliDirectory Server using HP-UX utilities . 75

Before you install . . . . . . . . . . . . 75Installing IBM Tivoli Directory Server . . . . . 75

Package dependencies . . . . . . . . . . 75Installing using swinstall . . . . . . . . . 77


Chapter 11. Installing and uninstallingsilently on Windows systems . . . . . 81Silent installation . . . . . . . . . . . . 81

Installing the server or client silently . . . . . 82Installing language packs silently . . . . . . 84Verifying the silent installation . . . . . . . 85Options files for silent installation of servers andlanguage packs . . . . . . . . . . . . 86

Silent uninstallation . . . . . . . . . . . 89Options files for silent uninstallation of serversand language packs . . . . . . . . . . 89

Chapter 12. Creating and administeringinstances . . . . . . . . . . . . . 93Starting the Instance Administration Tool . . . . 93Creating a directory server instance . . . . . . 94

Creating an instance with the InstanceAdministration Tool . . . . . . . . . . 94Creating an instance with the command line 106

Launching the Configuration Tool from the

Instance Administration Tool . . . . . . . . 107Changing the TCP/IP settings for an instance . . 108

Changing the TCP/IP settings with the InstanceAdministration Tool . . . . . . . . . . 108Changing the TCP/IP settings with thecommand line . . . . . . . . . . . . 109

Viewing information about an instance . . . . . 109Viewing information about an instance usingthe Instance Administration Tool . . . . . . 109Viewing information about an instance usingthe command line . . . . . . . . . . . 109

Deleting a directory server instance . . . . . . 110Deleting an instance using the InstanceAdministration Tool . . . . . . . . . . 110

Deleting an instance using the command line 110

Chapter 13. Configuration . . . . . . 111Starting and using the IBM Tivoli Directory ServerConfiguration Tool (idsxcfg) . . . . . . . . 111Managing the primary administrator DN for adirectory server instance. . . . . . . . . . 113

Managing the primary administrator DN withthe Configuration Tool . . . . . . . . . 113Managing the primary administrator DN withthe command line . . . . . . . . . . . 113

Managing the primary administrator password fora directory server instance . . . . . . . . . 114

Managing the primary administrator passwordwith the Configuration Tool . . . . . . . 114Managing the primary administrator passwordwith the command line . . . . . . . . . 114

Configuring the database for a directory serverinstance . . . . . . . . . . . . . . . 115

Configuring the database with theConfiguration Tool . . . . . . . . . . 115Configuring the database with the commandline . . . . . . . . . . . . . . . . 116

Changing the password for the database owner . . 117Changing the password for the database ownerwith the Configuration Tool . . . . . . . 117Changing the password for the database ownerwith the command line . . . . . . . . . 117

Unconfiguring the database for a directory serverinstance . . . . . . . . . . . . . . . 118

Unconfiguring the database with theConfiguration Tool . . . . . . . . . . 118Unconfiguring the database with the commandline . . . . . . . . . . . . . . . . 118

Enabling or disabling the change log for a directoryserver instance . . . . . . . . . . . . . 119

Enabling the change log . . . . . . . . . 119Disabling the change log . . . . . . . . 120

Managing suffixes . . . . . . . . . . . . 121Adding a suffix. . . . . . . . . . . . 121Removing a suffix . . . . . . . . . . . 122

Managing schema files . . . . . . . . . . 123Adding a schema file . . . . . . . . . . 123Removing a schema file . . . . . . . . . 124Changing the type of validation checking that isdone . . . . . . . . . . . . . . . 125

Importing and exporting LDIF data . . . . . . 125Importing LDIF data with the ConfigurationTool . . . . . . . . . . . . . . . 126Validating LDIF data without adding it to thedatabase using the Configuration Tool . . . . 127Exporting LDIF data with the ConfigurationTool . . . . . . . . . . . . . . . 127

Backing up the database. . . . . . . . . . 128Backing up the database with the ConfigurationTool . . . . . . . . . . . . . . . 128Backing up the database with the command line 128

Restoring the database . . . . . . . . . . 129Using the Configuration Tool . . . . . . . 129Using the command line . . . . . . . . 129

Optimizing the database. . . . . . . . . . 129Using the Configuration Tool . . . . . . . 130Using the command line . . . . . . . . 130

Configuring Active Directory synchronization . . 130Configuring Active Directory synchronizationwith the Configuration Tool . . . . . . . 131Configuring Active Directory synchronizationwith the command line . . . . . . . . . 133

Tuning the performance of the directory server . . 133Performance tuning with the Configuration Tool 133Performance tuning with the command line . . 136

iv IBM Tivoli Directory Server: Installation and Configuration Guide



Chapter 14. After you install andconfigure . . . . . . . . . . . . . 137Starting the directory server instance . . . . . 137Starting the Web application server to use the WebAdministration Tool . . . . . . . . . . . 138Starting the Web Administration Tool . . . . . 138Stopping the Web application server. . . . . . 139

Setting kernel parameters on Solaris or HP-UXsystems . . . . . . . . . . . . . . . 139

Chapter 15. Uninstalling IBM TivoliDirectory Server . . . . . . . . . . 141Uninstalling IBM Tivoli Directory Server using theInstallShield GUI . . . . . . . . . . . . 141Uninstalling language packs using the InstallShieldGUI . . . . . . . . . . . . . . . . 142Uninstalling using operating system utilities . . . 143

AIX systems. . . . . . . . . . . . . 143Linux systems . . . . . . . . . . . . 144Solaris systems . . . . . . . . . . . . 145HP-UX systems. . . . . . . . . . . . 145

Appendix A. Directory structure ofdownloaded files . . . . . . . . . . 147Directory structure for Windows files . . . . . 147Directory structure for AIX files . . . . . . . 148Directory structure for Linux files . . . . . . 149Directory structure for Solaris SPARC files. . . . 150Directory structure for Solaris X64 files . . . . . 151Directory structure for HP-UX PA-RISC files . . . 152Directory structure for HP-UX Integrity files . . . 153

Appendix B. Disk space requirementsfor installable features . . . . . . . 155Windows disk space requirements . . . . . . 155AIX disk space requirements . . . . . . . . 155Linux disk space requirements . . . . . . . 156Solaris disk space requirements . . . . . . . 156HP-UX disk space requirements . . . . . . . 157

Appendix C. Configuration planning 159

Appendix D. Setting up users andgroups: directory server instanceowner, database instance owner, anddatabase owner . . . . . . . . . . 161Naming rules . . . . . . . . . . . . . 162Additional restrictions for users and groups . . . 162Creating instance owners: examples . . . . . . 163

Appendix E. Synchronizing two-waycryptography between serverinstances . . . . . . . . . . . . . 165

Appendix F. Directory serverinstances . . . . . . . . . . . . . 167

Directory server instance content on Windowssystems . . . . . . . . . . . . . . . 167Directory server instance content on AIX, Linux,Solaris, and HP-UX systems . . . . . . . . 168

Appendix G. Preparing for copying aninstance or for online backup and

restore . . . . . . . . . . . . . . 169

Appendix H. Installing, configuring,and uninstalling EmbeddedWebSphere Application Server . . . . 171Manually installing and configuring EmbeddedWebSphere Application Server. . . . . . . . 171

Installing Embedded WebSphere ApplicationServer . . . . . . . . . . . . . . . 171Deploying the Web Administration Tool intoEmbedded WebSphere Application Server . . . 172

Uninstalling the Web Administration Tool fromEmbedded WebSphere Application Server . . . . 173

Default ports for Embedded WebSphereApplication Server for the Web AdministrationTool . . . . . . . . . . . . . . . . 173Using HTTPS for Embedded WebSphereApplication Server Version 6.1.0.7 . . . . . . 174

Appendix I. Installing the WebAdministration Tool into WebSphere . 177

Appendix J. Default ports forEmbedded WebSphere ApplicationServer for IBM Tivoli DirectoryIntegrator . . . . . . . . . . . . . 179

Appendix K. ASCII characters from 33to 126. . . . . . . . . . . . . . . 181

Appendix L. Information for bundlers 183How to install silently . . . . . . . . . . 183Environment variable for silent installation withnative packages . . . . . . . . . . . . 183Starting the instance administration tool inmigration mode . . . . . . . . . . . . 184Additional information about GSKit . . . . . . 184

Appendix M. Installing and

configuring DSML . . . . . . . . . 185

Appendix N. Loading the sample LDIFfile into the database . . . . . . . . 187

Appendix O. UTF-8 support . . . . . 189Why choose anything other than UTF-8? . . . . 189Server utilities . . . . . . . . . . . . . 189

Examples. . . . . . . . . . . . . . 189Supported IANA character sets . . . . . . . 190

Contents v



Appendix P. Installing and uninstallingGSKit manually on Windowsoperating systems . . . . . . . . . 193Removing GSKit . . . . . . . . . . . . 193

Appendix Q. Setting up GSKit tosupport CMS key databases . . . . . 195

Appendix R. Accessibility features forIBM Tivoli Directory Server . . . . . 199

Accessibility features . . . . . . . . . . . 199Keyboard navigation . . . . . . . . . . . 199Related accessibility information . . . . . . . 199

Appendix S. Notices . . . . . . . . 201Trademarks . . . . . . . . . . . . . . 202

Index . . . . . . . . . . . . . . . 205

vi IBM Tivoli Directory Server: Installation and Configuration Guide



About this book

IBM® Tivoli® Directory Server is the IBM implementation of Lightweight DirectoryAccess Protocol for supported Windows®, AIX®, Linux® (xSeries®, zSeries®,

pSeries®, and iSeries™), Solaris, and Hewlett-Packard UNIX® (HP-UX) operatingsystems.

IBM Tivoli Directory Server version 6.1 Installation and Configuration Guide describeshow to install, configure, and uninstall IBM Tivoli Directory Server version 6.1, andhow to upgrade to the 6.1 version from previous releases of the product. Fordetailed information about supported operating system versions, as well as otherrequired software and hardware, see IBM Tivoli Directory Server version 6.1 SystemRequirements.

Intended audience for this book

This book is for administrators who will install and configure IBM Tivoli DirectoryServer version 6.1.

Readers need to know how to use the operating system on which IBM TivoliDirectory Server will be installed.

Publications

This section lists publications in the IBM Tivoli Directory Server version 6.1 libraryand related documents. The section also describes how to access Tivoli publicationsonline and how to order Tivoli publications.

IBM Tivoli Directory Server version 6.1 libraryThe following documents are available in the IBM Tivoli Directory Server version6.1 library:

v IBM Tivoli Directory Server Version 6.1 What's New for This Release, SC23-6539-00

Provides information about the new features in the IBM Tivoli Directory ServerVersion 6.1 release.

v IBM Tivoli Directory Server Version 6.1 Quick Start Guide, GI11-8172-00

Provides help for getting started with IBM Tivoli Directory Server 6.1. Includes ashort product description and architecture diagram, as well as a pointer to theproduct Information Center and installation instructions.

v IBM Tivoli Directory Server Version 6.1 System Requirements, SC23-7835-00

Contains the minimum hardware and software requirements for installing and

using IBM Tivoli Directory Server 6.1 and its related software. Also lists thesupported versions of corequisite products such as DB2® and GSKit.

v IBM Tivoli Directory Server Version 6.1 Installation and Configuration Guide,GC32-1560-00

Contains complete information for installing, configuring, and uninstalling IBMTivoli Directory Server. Includes information about upgrading from a previousversion of IBM Tivoli Directory Server.

v IBM Tivoli Directory Server Version 6.1 Administration Guide, GC32-1564-00

Contains instructions for performing administrator tasks through the WebAdministration Tool and the command line.

© Copyright IBM Corp. 1998, 2007 vii



v IBM Tivoli Directory Server Version 6.1 Command Reference, SC23-7834-00

Describes the syntax and usage of the command-line utilities included with IBMTivoli Directory Server.

v IBM Tivoli Directory Server Version 6.1 Server Plug-ins Reference, GC32-1565-00

Contains information about writing server plug-ins.

v IBM Tivoli Directory Server Version 6.1 Programming Reference, SC23-7836-00

Contains information about writing Lightweight Directory Access Protocol(LDAP) client applications in C and Java™.

v IBM Tivoli Directory Server Version 6.1 Performance Tuning and Capacity PlanningGuide, SC23-7836-00

Contains information about tuning the directory server for better performance.Describes disk requirements and other hardware needs for directories of different sizes and with various read and write rates. Describes known workingscenarios for each of these levels of directory and the disk and memory used;also suggests rough rules of thumb.

v IBM Tivoli Directory Server Version 6.1 Problem Determination Guide, GC32-1568-00

Contains information about possible problems and corrective actions that can be

tried before contacting IBM Software Support.v IBM Tivoli Directory Server Version 6.1 Messages Guide, GC32-1567-00

Contains a list of all informational, warning, and error messages associated withIBM Tivoli Directory Server 6.1.

v IBM Tivoli Directory Server Version 6.1 White Pages, SC23-7837-00

Describes the Directory White Pages application, which is provided with IBMTivoli Directory Server 6.1. Contains information about installing, configuring,and using the application for both administrators and users.

Related publicationsThe following documents also provide useful information:

v

Java Naming and Directory Interface

™

1.2.1 Specification on the Sun MicrosystemsWeb site at http://java.sun.com/products/jndi/1.2/javadoc/index.html.

IBM Tivoli Directory Server Version 6.1 uses the Java Naming and DirectoryInterface (JNDI) client from Sun Microsystems. See this document forinformation about the JNDI client.

Accessing terminology onlineThe Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available at the followingTivoli software library Web site:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

The IBM Terminology Web site consolidates the terminology from IBM productlibraries in one convenient location. You can access the Terminology Web site at thefollowing Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications onlineIBM posts publications for this and all other Tivoli products, as they becomeavailable and whenever they are updated, to the Tivoli Information Center Website at http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html.

viii IBM Tivoli Directory Server: Installation and Configuration Guide

http://java.sun.com/products/jndi/1.2/javadoc/index.html



http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html

http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html



http://java.sun.com/products/jndi/1.2/javadoc/index.html



In the Tivoli Information Center window, click Tivoli product manuals. Click theletter that matches the first letter of your product name to access your productlibrary. For example, click M to access the IBM Tivoli Monitoring library or click Oto access the IBM Tivoli OMEGAMON® library.

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File → Print window that allows Adobe® Reader to print letter-sized

pages on your local paper.

Ordering publicationsYou can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.

You can also order by telephone by calling one of these numbers:

v In the United States: 800-879-2755

v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:

1. Go to http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.

2. Select your country from the list and click Go.

3. Click About this site in the main panel to see an information page thatincludes the telephone number of your local representative.

Accessibility

Accessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see Appendix R, “Accessibility features for IBM TivoliDirectory Server,” on page 199.

Tivoli technical training

For Tivoli technical training information, refer to the following IBM TivoliEducation Web site at http://www.ibm.com/software/tivoli/education.

Support information

If you have a problem with your IBM software, you want to resolve it quickly. IBMprovides the following ways for you to obtain the support you need:

v IBM Support Assistant: You can search across a large collection of knownproblems and workarounds, Technotes, and other information athttp://www.ibm.com/software/support/isa.

v Obtaining fixes: You can locate the latest fixes that are already available for yourproduct.

About this book ix

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi


http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/isa

http://www.ibm.com/software/support/isa

http://www.ibm.com/software/tivoli/education





v Contacting IBM Software Support: If you still cannot solve your problem, andyou need to work with someone from IBM, you can use a variety of ways tocontact IBM Software Support.

For more information about resolving problems, see the IBM Tivoli Directory ServerVersion 6.1 Problem Determination Guide.

Conventions used in this book

This book uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThis book uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spin

buttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets), labels (such as Tip:, and Operating system considerations:)

v Keywords and parameters in text

Italic

v Citations (examples: titles of books, diskettes, and CDs)

v Words defined in text (example: a nonswitched line is called a point-to-point line)

v Emphasis of words and letters (words as words example: "Use the wordthat to introduce a restrictive clause."; letters as letters example: "TheLUN address must start with the letter L.")

vNew terms in text (except in a definition list): a view is a frame in aworkspace that contains data.

v Variables and values you must provide: ... where myname represents....

Monospace

v Examples and code examples

v File names, programming keywords, and other elements that are difficultto distinguish from surrounding text

v Message text and prompts addressed to the user

v Text that the user must type

v Values for arguments or command options

Operating system-dependent variables and pathsThis book uses the UNIX convention for specifying environment variables and fordirectory notation.

When using the Windows command line, replace $variable with % variable% forenvironment variables and replace each forward slash ( / ) with a backslash (\) indirectory paths. The names of environment variables are not always the same inthe Windows and UNIX environments. For example, %TEMP% in Windowsenvironments is equivalent to $TMPDIR in UNIX environments.

x IBM Tivoli Directory Server: Installation and Configuration Guide



Note: If you are using the bash shell on a Windows system, you can use the UNIXconventions.

About this book xi



xii IBM Tivoli Directory Server: Installation and Configuration Guide



Chapter 1. Quick installation path for a server

To follow the simplest path through installation of a server, use the checklist in thischapter. If you are upgrading from a previous release, do not use this checklist.

Instead, see Chapter 3, “Upgrading from previous releases,” on page 11 forinstructions. This procedure uses the Typical installation path and creates thedefault directory server instance. If you want more control over the features youinstall and the directory server instance you create, do not use this procedure.

__ 1. Decide what kind of server or servers you want to install on this computer.See Chapter 2, “Installation, instance creation, configuration, and migrationoverview,” on page 3 for information.

__ 2. Be sure that you have the minimum required hardware and software.

See IBM Tivoli Directory Server version 6.1 System Requirements forinformation.

__ 3. Plan the organization of your database if you want a full server.

See Appendix C, “Configuration planning,” on page 159 for information.__ 4. If you want to use a language other than English, install the language pack

for your language. See Chapter 4, “Installing language packs using theInstallShield GUI,” on page 17 for instructions.

Note: You can install a language pack after installing IBM Tivoli DirectoryServer, but the Instance Administration Tool and Configuration Toolpanels, as well as server messages, will display in English until youinstall a language pack.

__ 5. Install IBM Tivoli Directory Server using the InstallShield GUI. Select theTypical rather than the Custom installation path.

For Windows platforms, see “Before you install” on page 25. and

“Installing with the Typical installation path on Windows systems” on page27.

For AIX, Linux, Solaris, and HP-UX platforms, see “Before you install” onpage 25 and “Installing with the Typical installation path on AIX, Linux,Solaris, and HP-UX systems” on page 35.

__ 6. On Windows systems, if the system restarts, log on as the user you werelogged on as during installation.

__ 7. When the Instance Administration Tool starts, you have the option tocreate additional directory server instances. (You have already created thedefault directory server instance.) In addition, you can use the Configure

button in the Instance Administration Tool to start the Configuration Tooland view the configuration status of the default instance or change the

password for the primary administrator DN. See Chapter 12, “Creating andadministering instances,” on page 93 for information about using theInstance Administration Tool.

__ 8. Optionally, verify the installation and configuration by loading the sampleLDIF file into the database.

See Appendix N, “Loading the sample LDIF file into the database,” onpage 187 for information.

__ 9. Start the directory server instance and, if you installed the WebAdministration Tool, start it.

© Copyright IBM Corp. 1998, 2007 1



See Chapter 14, “After you install and configure,” on page 137 forinformation.

__ 10. See the IBM Tivoli Directory Server Version 6.1 Administration Guide forinformation about setting up and using the server and the WebAdministration Tool.

2 IBM Tivoli Directory Server: Installation and Configuration Guide



Chapter 2. Installation, instance creation, configuration, andmigration overview

This chapter briefly describes migration, installation, instance creation, andconfiguration for IBM Tivoli Directory Server version 6.1.

Before you begin: .zip, .tar, and .iso files

The IBM Tivoli Directory Server product is available in three types of files: .zip,.tar, and .iso. (There are .iso files that can be burned onto CD-ROMs, and there are.zip and .tar files that correspond to each .iso file.)

If you downloaded .zip files, uncompress the files after you download them toyour computer. Be sure to uncompress the files into a path that has no spaces inthe name. Uncompress all .zip files in the same directory.

If you downloaded .tar (or Tape ARchive) files, uncompress the files after youdownload them. Uncompress all .tar files in the same directory.

The .iso file versions of the product are used to burn installation CD-ROMs thatcan then be used in the installation process. The .iso files are images that must beprocessed through a CD-ROM burner program to create CD-ROMs. When youcreate the CD-ROMs, be sure that you do not make data CDs of the .iso files.Select the option that unencapsulates the data from the .iso files and burns the fileson the CD-ROM.

For information about the directory structure after you uncompress the file ondifferent operating systems, see Appendix A, “Directory structure of downloadedfiles,” on page 147.

After you process the downloaded files, you can install IBM Tivoli Directory Serverusing the installation instructions in the appropriate installation chapter.

Upgrading from a previous release

If you have a previous version of IBM Tivoli Directory Server, upgrading isnecessary to preserve any changes that you have made to the schema definitionsand to preserve your directory server configuration. Previous versions include thefollowing:

v IBM Directory Server 4.1, 5.1, or 5.1 for Linux iSeries and pSeries

v IBM Tivoli Directory Server 5.2 or 6.0

In addition, it might be necessary to upgrade your operating system and your DB2version. See IBM Tivoli Directory Server Version 6.1 System Requirements forinformation about supported operating system and DB2 versions.

If you want to upgrade from an earlier version of IBM Tivoli Directory Server, seeChapter 3, “Upgrading from previous releases,” on page 11 for instructions.




Installation

When you install IBM Tivoli Directory Server on a computer, you can install one ormore features that allow the computer to function as a client, a proxy server, a fullserver, or a console for managing servers. In addition, if you want a server todisplay messages in a language other than English, you must also install alanguage pack.

IBM Tivoli Directory Server 6.1 has several ways of installing. You can install usingan InstallShield graphical user interface (GUI) or you can use installation tools foryour operating system. Instructions for using the InstallShield GUI are found inChapter 6, “Installing IBM Tivoli Directory Server using the InstallShield GUI,” onpage 25.

For information about platform-specific installation methods, see the installationchapter for the operating system on which you are installing. For example, seeChapter 7, “Installing IBM Tivoli Directory Server using AIX utilities,” on page 49.

Before you install, see IBM Tivoli Directory Server version 6.1 System Requirements forhardware and software requirements.

To help you decide what you want to install, the following sections describe thechoices on the InstallShield GUI main panel.

ClientThe client Software Development Kit (SDK) provides the tools required to developC-language LDAP applications. The following are provided:

v Client libraries that provide a set of C-language APIs

v C header files for building and compiling LDAP applications

v Sample programs in source form

v Executable versions of the sample programs

The client can be installed alone, and it must be installed when you install a server.IBM Tivoli Directory Server 6.1 clients can coexist on the same computer withanother client that is version 4.1, 5.1, 5.2, or 6.0.

Java clientThe Java client includes the Java SDK version 1.5, IBM Tivoli Directory Server

JNDI Toolkit, and Java client utilities. The Java client is required if you areinstalling a server.

ServerYou can install two types of servers: the directory server and the proxy server. Youcan install both types of servers on one computer and create one or more instancesof the types of servers you have installed. These are called directory serverinstances. Each directory server instance can function as either a proxy server or afull server, but not both.

An IBM Tivoli Directory Server 6.1 server requires that the version 6.1 client andthe Java client also be installed. In addition, the server can coexist on the samecomputer with another client that is version 4.1, 5.1, 5.2, or 6.0, or with a version6.0 server.




Proxy serverThe proxy server is an LDAP server that acts as a front-end to the directory. Itauthenticates the client with respect to the entire directory and routes requests tocertain other directory servers. This improves performance and provides a unifiedview of the directory to the client. The proxy server can also be used at thefront-end of a server cluster or a distributed directory for providing failover andload balancing.

The proxy server is configured with information that allows it to connect to each of the directory servers for which it is the proxy server. It routes each request to oneor more target servers. The proxy server can load balance among target serversthat are equally capable of handling an operation; it performs transparent failoverto alternate servers if a server is busy or down.

To install a proxy server, you do not need to have DB2 installed on the computer.

This book contains information about installing a proxy server and creating andconfiguring a proxy server instance. For additional information about proxyservers, including information about setting up a proxy server instance as a proxyfor other directory server instances, see the IBM Tivoli Directory Server version 6.1 Administration Guide.

Note: If you downloaded IBM Tivoli Directory Server 6.1 from PassportAdvantage, you are entitled to use the proxy server. If you obtained IBMTivoli Directory Server 6.1 from another Web site, you are entitled to use theproxy server for evaluation purposes only. To be entitled to full use of theproxy server, download IBM Tivoli Directory Server 6.1 from the PassportAdvantage Web site.

Directory serverThe directory server is an LDAP server; it is configured with a database instance,and it processes client requests that require accessing entries stored in the database.

DB2 is required for a directory server.

Web Administration ToolYou can use the Web Administration Tool as a console to administer LDAP servers,which can be of the following types:

v IBM Tivoli Directory Server 6.1



v IBM Directory Server 5.1

v i5/OS® V5 R4

v z/OS® V1 R6 Integrated Security Services

v z/OS V1 R8 Integrated Security Servicesv z/OS V1 R8 IbM Tivoli Directory Server

Note: For z/OS, only management of directory date, but not serveradministration, is supported.

Embedded WebSphere Application ServerA Web application server is required to run the Web Administration Tool.Embedded WebSphere® Application Server 6.1.0.7, is provided with IBM Tivoli

Chapter 2. Installation, instance creation, configuration, and migration overview 5



Directory Server. For information about other Web application servers that aresupported, see IBM Tivoli Directory Server version 6.1 System Requirements.

DB2IBM DB2 is required for the directory server because directory data is stored in aDB2 database. (DB2 is not required for the proxy server.) IBM DB2 Enterprise

Server Edition (ESE) 9.1 is included with IBM Tivoli Directory Server for alloperating systems. However, other versions are supported. See IBM Tivoli DirectoryServer version 6.1 System Requirements to find out which versions of DB2 aresupported for your operating system.

Note: Remote databases are not supported.

Global Security Kit (GSKit)Tivoli Global Security Kit (GSKit) is an optional software package that is requiredonly if Secure Sockets Layer (SSL) Security or Transport Layer Security (TLS) isrequired.

IBM Tivoli Directory Server alone does not provide the capability for SSLconnections from IBM Tivoli Directory Server clients. You can enable the SSLfeature by installing the IBM GSKit package. The GSKit package includes SSLsupport and associated RSA Security, Inc. technology.

OpenSSL is included in GSKit and may be used for cryptographic operations (asper the OpenSSL license requirements).

The IBM Tivoli Directory Server server can work without the GSKit installed. Inthis case the server accepts only non-secure connections from directory clients.Similarly, the IBM Tivoli Directory Server client can work without the GSKitinstalled. Install GSKit on both th' server and the client if you want to use secureconnections.

Version 7.0.3.30 of GSKit is provided with IBM Tivoli Directory Server 6.1.

IBM Tivoli Directory IntegratorIf you install a server, you must install IBM Tivoli Directory Integrator if you wantto do any of the following:

v Use the idssupport tool, which gathers information from your system that youcan supply to IBM Software Support if you encounter problems, or the logmanagement tool (idslogmgmt).

You can find information about the support tool and the log management tool inthe IBM Tivoli Directory Server version 6.1 Problem Determination Guide.

v Use Simple Network Management Protocol (SNMP).

v Use the Active Directory synchronization feature.

You can find information about SNMP and Active Directory synchronization inthe IBM Tivoli Directory Server version 6.1 Administration Guide for information.

Version 6.1.1 of IBM Tivoli Directory Integrator is provided with IBM TivoliDirectory Server 6.1. The copy of IBM Tivoli Directory Integrator provided includesthe IBM Tivoli Directory Integrator Server and the IBM Tivoli Directory IntegratorAdministration and Monitoring Console. The IBM Tivoli Directory IntegratorConfiguration Editor, which is used to develop assembly lines and event handlers,is not included as part of IBM Tivoli Directory Server. If you want the full version




of IBM Tivoli Directory Integrator, purchase IBM Tivoli Directory Integrator 6.1.1,which includes all the features of IBM Tivoli Directory Integrator.

Note: IBM Tivoli Directory Integrator is not provided for Solaris X64 or HP-UXIntegrity systems.

Instance creation and database configurationDuring or after server installation, you must perform the following configurationtasks before you can use the server:

v Create user IDs for the directory server instance owner and, for someinstallations, the database instance owner and the database owner. This can bedone through the Instance Administration Tool, which runs during installation if you use the Typical installation path of the InstallShield GUI or after installationif you use the Custom installation path.

v Create a directory server instance. This can be done during or after installation.When you install IBM Tivoli Directory Server using the Typical path of theInstallShield GUI, you create the default directory server instance, for whichmost of the settings are predefined. When you install IBM Tivoli Directory

Server using some other method (such as the Custom installation path of theInstallShield GUI or operating system utility installation), you can create adirectory server instance with settings that you define.

v Set the IBM Tivoli Directory Server primary administrator distinguished name(DN) and password for the directory server instance. This operation can becompared to defining the root user ID and password on a UNIX system.

v If the directory server instance is not a proxy server, configure the database. Youdo not need a database for a proxy server instance.

You can have multiple directory server instances on one computer, and they can bea mixture of proxy server and full server instances. The files for each directoryserver instance are stored in a path that includes the directory server instance

name.

During or after successful installation of a server, if you used the InstallShield GUIto install, the Instance Administration Tool runs so that you can create a directoryserver instance. If you did not use the InstallShield GUI to install, you must startthe Instance Administration Tool manually or use the idsicrt command-line utility.

When you create a non-proxy directory server instance, a database instance is alsocreated if the directory server is installed on the computer. By default, the directoryserver instance and the database instance have the same name. The name mustmatch the name of an existing user on the system that meets certain qualifications,described in Appendix D, “Setting up users and groups: directory server instanceowner, database instance owner, and database owner,” on page 161.

You can also use the Instance Administration Tool for the following tasks:

v Creating user IDs for the directory server instance owner, database instanceowner, and database owner.

v Making a copy of a Tivoli Directory Server 6.1 directory server instance that ison the same computer or on another computer

v Migrating server schema and configuration files from a previous release to anIBM Tivoli Directory Server 6.1 instance

v Editing the TCP/IP settings for an instance

v Viewing all instances on the computer




v idsldif2db or idsbulkload imports LDIF data.

v idsdb2ldif exports LDIF data.

v idsdbback backs up the database.

v idsdbrestore restores the database.

v idsrunstats optimizes the database.

v idsadscfg configures Active Directory Synchronization.

v idsperftune tunes directory server performance.

Note: For proxy server instances, only the following tasks are available:

v Managing the administrator DN and password in the Configuration Tool(idsdnpw command-line utility)

v Managing schema files in the Configuration Tool (idscfgsch andidsucfgsch command-line utilities)

v Managing suffixes in the Configuration Tool (idscfgsuf and idsucfgsufcommand-line utilities)




Chapter 3. Upgrading from previous releases

Upgrading refers to the process of installing IBM Tivoli Directory Server version 6.1to replace an earlier version while preserving the data, changes that were made to

the schema definitions, and directory server configuration from the earlier version.Use the procedures in this chapter when you are upgrading an existing directoryserver on the same physical computer from a version of IBM Directory Server orIBM Tivoli Directory Server.

If you have only a client installed, see “About the client.”

You can upgrade from IBM Directory Server 4.1 or 5.1, or IBM Tivoli DirectoryServer 5.2 or 6.0. (You cannot upgrade from SecureWay® Directory; the minimumversion from which you can upgrade is IBM Directory Server 4.1.)

About the client

If you have only a client installed, migration is not necessary. Clients from releases4.1, 5.1, 5.2, and 6.0 can coexist with IBM Tivoli Directory Server 6.1 clients andservers.

Before you upgrade

Before you upgrade to Tivoli Directory Server 6.1 from a previous version, do thefollowing steps:

1. Be sure that the server you plan to migrate to IBM Tivoli Directory Server 6.1can be successfully started. (If the server is not a proxy server, be sure that thedatabase is configured.) If the server cannot be started successfully, whether itis a proxy server or a full directory server, the upgrade is not supported.

Note: You must not remove the directory server instance that you want toupgrade and, for a full directory server instance, you must notunconfigure the database. If you do either of these, upgrade is notsupported.

2. Back up the databases and DB2 settings. See the Administration Guide for yourrelease of IBM Directory Server or IBM Tivoli Directory Server for informationabout backing up databases using DB2 commands, the dbback or idsdbbackcommand, or the Configuration Tool. Take an offline database backup for eachlocal database on the server. (You can do this step now or after step 3.)

3. Back up the configuration files and schema files by using the migbkup utility.(This step is optional if you use the InstallShield GUI to upgrade.)

Note: You can find this utility in one of the following locations:

For Windows systems:If you created a CD: the \tools subdirectory on the CD

If you downloaded a .zip file, the itdsV61\tools subdirectory of the directory where you unzipped the file

For AIX, Linux, Solaris, and HP-UX systems:If you created a CD for InstallShield GUI installation: the /toolssubdirectory on the CD




If you created a CD for installation with operating systemutilities: the /tools subdirectory on the CD

If you downloaded a .tar file for InstallShield GUI installation:the itdsV61ismp/tools subdirectory of the directory where youuntarred the file

If you downloaded a .tar file for installation with operating

system utilities: the itdsV61/tools subdirectory of the directorywhere you untarred the file

Type the following at a command prompt:

v For Windows systems:

migbkup.bat install_location backup_directory

v For AIX, Linux, Solaris, and HP-UX systems:

migbkup install_location backup_directory

This utility backs up the server configuration file (slapd32.conf on 4.1 systemsand ibmslapd.conf on 5.1, 5.2, and 6.0 systems) and all standard schema filesthat are supplied with IBM Tivoli Directory Server from the install_location\etcdirectory to a temporary directory, specified by <backup_directory>.

<install_location> is one of the following:v For the 4.1, 5.1, and 5.2 releases of IBM Tivoli Directory Server: the directory

where IBM Directory Server or IBM Tivoli Directory Server is installed (forexample, C:\Program Files\LDAP).

v For the 6.0 version, the location of the directory server instance (for example,idsslapd\<instance_name>).

For example:

v On a Windows system, to back up files from IBM Directory Server 5.1,installed in the C:\Program Files\IBM\LDAP directory, to a directorynamed d:\ldap\savefiles, type the following:

migbkup.bat "C:\Program Files\IBM\LDAP" d:\ldap\savefiles

Be sure to enclose the path in quotation marks if there is a space in the path.

v On a Linux system, to back up files from IBM Tivoli Directory Server 5.2,installed in the /usr/ldap directory, to a directory named /usr/savefiles,type the following:

migbkup /usr/ldap /usr/savefiles

The command backs up the following files:

v slapd32.conf (only on IBM Directory Server 4.1 systems) or ibmslapd.conf

v V3.ibm.at

v V3.ibm.oc

v V3.system.at

v V3.system.oc

v V3.user.at

v V3.user.oc

v V3.modifiedschema

In addition, for backups on version 6.0, the command backs up the followingfiles:

v V3.config.at

v V3.config.oc

v V3.ldapsyntaxes




v V3.matchingrules

v ibmslapdcfg.ksf

v ibmslapddir.ksf

v ibmdiradmService.cmd

v ibmslapdService.cmd

The command also creates the db2info file.

If you have additional schema files that you used in your previous release,copy them manually to the backup_directory also. When you migrate theconfiguration and schema files during instance creation, these files will not bemigrated, but they will be copied to the new directory server instance locationfor use by the directory server instance.

4. Be sure that the operating system on which you will install Tivoli DirectoryServer 6.1 is supported. See IBM Tivoli Directory Server Version 6.1 SystemRequirements for information about supported levels. If the operating system isnot supported, install a supported version.

5. If your current version of DB2 is a version not supported for IBM TivoliDirectory Server 6.1 such as DB2 version 7 or v8.1 ESE (32-bit) , you must firstupgrade your DB2 version or FixPack level to a level supported by IBM TivoliDirectory Server 6.1. See IBM Tivoli Directory Server Version 6.1 SystemRequirements for information about supported DB2 versions. Seehttp://www-1.ibm.com/support/docview.wss?uid=swg21200005 forinformation about upgrading your DB2 version. You might also need toupgrade the bit-width of the database using DB2 commands.

6. Use one of the following procedures to upgrade to Tivoli Directory Server 6.1:

v If you want to upgrade using the InstallShield GUI, see “Before you install”on page 25, and then use the information in “Using the InstallShield GUI toinstall and upgrade to Tivoli Directory Server 6.1” on page 41 to upgrade toTivoli Directory Server 6.1.

v If you want to upgrade on an AIX, Linux, Solaris, or HP-UX system usingoperating system utilities and commands, use the information in “Upgradingusing the command line and operating system utilities.”

Upgrading using the command line and operating system utilities

To upgrade to Tivoli Directory Server 6.1 using operating system utilities on AIX,Linux, Solaris, or HP-UX systems:

1. Be sure that you have followed the instructions in “Before you upgrade” onpage 11.

2. Read and understand Chapter 5, “Considerations before you install on AIX,Linux, Solaris, and HP-UX systems,” on page 21.

3. Stop the previous version server and the administration server.

4. If the version of IBM Tivoli Directory Server you are upgrading is before 6.0,uninstall IBM Tivoli Directory Server or IBM Directory Server. Leave thedatabase configured, however, unless the server is a proxy server.

If the version is 6.0, do not uninstall IBM Tivoli Directory Server 6.0 or theupgrade will fail. If you want to uninstall IBM Tivoli Directory Server 6.0, youcan do it after step 6 on page 14.

5. Install Tivoli Directory Server 6.1 using operating system utilities for youroperating system. See one of the following chapters for information:

v Chapter 7, “Installing IBM Tivoli Directory Server using AIX utilities,” onpage 49

Chapter 3. Upgrading from previous releases 13

http://www-1.ibm.com/support/docview.wss?uid=swg21200005

http://www-1.ibm.com/support/docview.wss?uid=swg21200005



v Chapter 8, “Installing IBM Tivoli Directory Server using Linux utilities,” onpage 61

v Chapter 9, “Installing IBM Tivoli Directory Server using Solaris utilities,” onpage 67

v Chapter 10, “Installing IBM Tivoli Directory Server using HP-UX utilities,” onpage 75

Note: If you are upgrading from IBM Directory Server 5.1 or IBM TivoliDirectory Server 5.2 on a Solaris system, recreate the operating systemgroup ldap, which is deleted when you uninstall IBM Directory Server5.1 or IBM Tivoli Directory Server 5.2. If you do not create this group

before running the idsimigr command, the command fails.

6. Use the idsimigr command to migrate the schema and configuration files fromthe earlier release to IBM Tivoli Directory Server 6.1 versions of these files andto create a Tivoli Directory Server 6.1 directory server instance with themigrated information. This directory server instance is the upgraded version of your previous server. In the process, the idsdbmigr command is called andDB2 can be upgraded, or the database might be converted from a 32-bit to a64-bit database if needed. (Database internal data migration occurs when the

Tivoli Directory Server 6.1 directory server instance is started for the first time.)For example, you want to migrate from IBM Tivoli Directory Server 5.2 to IBMTivoli Directory Server 6.1 and:

v You saved the configuration and schema files in a directory named/tmp/ITDS52

v You want to create an instance called myinst with an encryption seed of my_secret_key! and an encryption salt of mysecretsalt.

Use the following command:

idsimigr –I myinst –u /tmp/ITDS52 –e my_secret_key! -g mysecretsalt




Attention: When you create a new directory server instance, be aware of theinformation that follows.

a. If you want to use replication, use a distributed directory, or import andexport LDIF data between server instances, you must cryptographicallysynchronize the server instances to obtain the best performance.

If you are creating a directory server instance that must be

cryptographically synchronized with an existing directory server instance,you must synchronize the server instances before you do either of thefollowing:

v Start the second server instance

v Run the idsbulkload or idsldif2db command from the second serverinstance

See Appendix E, “Synchronizing two-way cryptography between serverinstances,” on page 165 for information about synchronizing directoryserver instances.

b. After you create a directory server instance and configure the database, usethe idsdbback utility to create a backup of the directory server instance.The configuration and directory key stash files are archived along with the

associated configuration and directory data. You can then use theidsdbrestore utility to restore the key stash files if necessary. (You can alsouse the idsdbback utility after you load data into the database. See“Backing up the database” on page 128 for information about backing upthe database.)

Note: If you upgraded from IBM Directory Server 5.1 to IBM Tivoli DirectoryServer 6.1, the server will take longer than usual to start the very first time.After the server has been started for the first time, it will start more quickly.

Migrating the Web Administration Tool and upgrading Embedded

WebSphere Application Server

If you have the Web Administration Tool from IBM Directory Server 5.1 or IBMTivoli Directory Server 5.2 or 6.0 installed into Embedded WebSphere ApplicationServer, the InstallShield GUI can upgrade Embedded WebSphere ApplicationServer to the 6.1.0.7 version and deploy the Web Administration Tool into it,migrating your previous Web Administration Tool configuration.

If you want to upgrade manually because you are not using the InstallShield GUIto install, use the information in the following section.

Migrating Embedded WebSphere Application Server and theWeb Administration Tool

You can use the idswmigr command-line utility to migrate an earlier version of Embedded WebSphere Application Server to the 6.1.0.7 version and deploy the 6.1version of the Web Administration Tool into it.

The idswmigr tool does the following:

v Saves the configuration files for the previous version of the Web AdministrationTool

v Undeploys the previous version of the Web Administration Tool from the earlierversion of Embedded WebSphere Application Server

Chapter 3. Upgrading from previous releases 15



v Backs up the configuration for the earlier version of Embedded WebSphereApplication Server to a temporary location that you specify

v Restores the configuration for the earlier version of Embedded WebSphereApplication Server to the new location

v Installs the 6.1 version of the Web Administration Tool into EmbeddedWebSphere Application Server 6.1.0.7

v

Migrates the previous Web Administration Tool configuration files and restoresthese files into the new Embedded WebSphere Application Server

Before you use the idswmigr command, do the following:

1. Uninstall the version of the Web Administration Tool that you have installed.(This is the IDSWebApp.war file in the idstools directory.) However, leaveEmbedded WebSphere Application Server installed, and leave the WebAdministration Tool deployed into it.

2. Install the new version of the Web Administration Tool.

3. Install the new version of Embedded WebSphere Application Server. (Do notdeploy the Web Administration Tool into Embedded WebSphere ApplicationServer. The idswmigr command will do this.)

To use the idswmigr command-line utility to upgrade Embedded WebSphereApplication Server and the Web Administration Tool and deploy the WebAdministration Tool into Embedded WebSphere Application Server, type thefollowing at a command prompt:

idswmigr [-l temp_path] [-s source_path -t target_path -r profile_name-a app_name -v -i prev_dir -o ports_path]

where:

-s source_pathSpecifies the source location for the previous version of EmbeddedWebSphere Application Server.

-t target_pathSpecifies the target location where the new Embedded WebSphereApplication Server has been installed.

-r profile_nameSpecifies the profile name associated with the application. Defaults toTDSWebAdminProfile if not specified.

-l temp_pathSpecifies a location for the temporary files.

-v Displays the command syntax.

-i prev_dirOn Windows systems only, specifies the directory where the previousversion of IBM Directory Server or IBM Tivoli Directory Server is installed.

-a app_name-a is the application name. Defaults to IDSWebApp.war if not specified.

-o ports_pathSpecifies the fully qualified path of the ports definition file. If not specified,defaults to C:\Program Files\IBM\LDAP\V6.1\idstools\TDSWEBPortDef.props on Windows systems or /opt/ibm/ldap/V6.1/idstools/TDSWEBPortDef.props on AIX, Linux, Solaris, and HP-UXsystems.




Chapter 4. Installing language packs using the InstallShieldGUI

If you want to use the server in languages other than English, you must installlanguage packs for the languages you want to use.

Note: You do not need to install language packs for the client, unless you want touse the idslink and idsrmlink commands and you want messages from thecommands displayed in a language other than English. For informationabout the idslink and idsrmlink commands, see the IBM Tivoli DirectoryServer version 6.1 Command Reference.

You can install language packs with the InstallShield GUI or with operating systemutilities on AIX, Linux, Solaris SPARC, and HP-UX PA-RISC systems. (InstallShieldGUI for language packs is not provided for Solaris X64 or HP-UX Integritysystems.) To install language packs using the InstallShield GUI, use the information

in this chapter. To install using operating system utilities, see the appropriatechapter; choose from one of the following:

v For AIX systems, see Chapter 7, “Installing IBM Tivoli Directory Server usingAIX utilities,” on page 49.

v For Linux systems, see Chapter 8, “Installing IBM Tivoli Directory Server usingLinux utilities,” on page 61.

v For Solaris systems, see Chapter 9, “Installing IBM Tivoli Directory Server usingSolaris utilities,” on page 67.

v For HP-UX systems, see Chapter 10, “Installing IBM Tivoli Directory Serverusing HP-UX utilities,” on page 75.

To install language packs using the InstallShield GUI:

1. Do one of the following:

On Windows systems:

a. Be sure that you are logged on as any member of theAdministrators group.

b. If you are installing from a CD, insert CD 1 in the CD-ROM drive.Go to the drive for your CD-ROM, and then change to the\tdsLangpack directory of the CD.

If you downloaded a zipped file, go to the directory where youunzipped the downloaded .zip files, and then to thetdsV6.1\tdsLangpack subdirectory.

c. If you are using Intel® 32-bit Windows, double-click the

idslp_setup_win32 icon, or type idslp_setup_win32.exe at thecommand prompt.

If you are using AMD/EM64T Windows, double-click theidslp_setup_win64 icon, or type idslp_setup_win64.exe at thecommand prompt.

On AIX, Linux, Solaris, and HP-UX systems:

a. Log in as root.




b. If you are installing from a CD, insert CD 1 in the CD-ROM driveand mount the CD, and then change to the /tdsLangpack directoryof the CD.

If you downloaded .tar files, go to the directory where you untarredthe files, and then change to the tdsV6.1\tdsLangpack subdirectory.

c. Type one of the following:

v

On AIX systems: idslp_setup_aix.binv On xSeries and AMD64/EM64T Linux systems:

idslp_setup_linux86.bin

v On zSeries Linux systems: idslp_setup_linux390.bin

v On iSeries and pSeries Linux systems: idslp_setup_linuxppc.bin

v On Solaris SPARC systems: idslp_setup_solaris.bin. (You mustuse operating system utilities to install language packs on SolarisX64 systems.)

v On HP-UX PA-RISC systems: idslp_setup_hp.bin. (You must useoperating system utilities to install language packs on HP-UXIntegrity systems.)

2. The Welcome window is displayed. Click Next.3. On Windows systems only, if you have not yet installed IBM Tivoli Directory

Server, a window is displayed asking where you want to install the languagepacks. This path will also be the path where IBM Tivoli Directory Server isinstalled. Click Next to install in the default directory. You can specify adifferent directory by clicking Browse or typing the path you want. Thedirectory will be created if it does not exist.

Note: Be sure that the installation location is not the same as the path whereanother version of the client is installed.

4. A window showing the languages is displayed. The languages you can chooseare:

v

Germanv French

v Italian

v Spanish

v Japanese

v Korean

v Portuguese (not supported on HP-UX systems)

v Simplified Chinese

v Traditional Chinese

On AIX systems, the following additional languages are available:

v Czechoslovakian

v Hungarian

v Polish

v Russian

v Slovakian

Select the languages you want to install, and then click Next.

5. A summary window displays the languages you want installed, the path wherethese language packs will be installed, and the amount of disk space required.Click Back to change any of your selections. Click Next to begin installation.




6. After installation is complete, click Finish on the confirmation window.

Language packs are installed in the LangPack subdirectory of the directory whereIBM Tivoli Directory Server is installed.

Chapter 4. Installing language packs using the InstallShield GUI 19



Chapter 5. Considerations before you install on AIX, Linux,Solaris, and HP-UX systems

For AIX, Linux, Solaris, and HP-UX systems, there are some environments thatmight require special setup.

Mounting and unmounting the CD during installation

On AIX, Linux, Solaris, and HP-UX systems, if you are installing from CD-ROMscreated from the downloaded .iso files, you must mount the CD before you begininstalling. The following sections discuss special considerations on Solaris 9 andHP-UX systems.

Mounting and unmounting the CD on Solaris 9 systemsOn Solaris 9 systems, if you are installing from a CD, the first CD is automountedto /cdrom/directoryv6.1 when you insert it into the CD-ROM drive. Duringinstallation, each time you are prompted for another CD , you must unmount andeject the currently mounted CD, restart the volume management daemon, andmount the next CD so that the volume management daemon does not incrementthe mount point. Use the following instructions whenever you are prompted toinsert another CD:

1. Unmount the CD:

umount /cdrom/directoryV6.1

2. Eject the CD:

eject

3. Stop the volume management daemon:

/etc/init.d/volmgt stop

4. Restart the volume management daemon:/etc/init.d/volmgt start

When you insert the next CD and it is automounted, it is mounted at/cdrom/directoryv6.1.

Mounting and unmounting the CD on HP-UX systemsTo be sure that you install IBM Tivoli Directory Server correctly on HP-UXsystems, use the following procedures to mount and unmount the CD if you areinstalling from CD-ROMs created from the downloaded .iso files.

Mounting the CD on an HP-UX system1.

To verify that the Portable File Systems (PFS) daemons are enabled and active,type the following at a command prompt:

ps -aef | grep pfs

If the output of the command shows pfs_mountd, pfsd and the correspondingrpc processes as in the following example, go to step 3 on page 22.

ps -aef | grep pfsroot 20381 17407 0 14:04:51 pts/tb 0:00 /usr/sbin/pfs_mountdroot 20388 20387 0 14:05:20 pts/tb 1:06 pfsd.rpcroot 20382 20381 0 14:04:51 pts/tb 0:00 pfs_mountd.rpcroot 20387 17407 0 14:05:20 pts/tb 0:00 /usr/sbin/pfsd




Otherwise, continue to step 2 to start the PFS daemons.

2. To start the PFS processes on an HP-UX system, issue the commands:

nohup /usr/sbin/pfs_mountd &nohup /usr/sbin/pfsd &

3. Mount the CD to /SD_CDROM or any other directory that can act as mountpoint. This directory must exist before you run the pfs_mount command. To

create this directory, type the following command:mkdir /SD_CDROM

To mount the CD, type the following command:

/usr/sbin/pfs_mount <CD_device_name> < mount_point_dir>

where <CD_device_name> is the device name of the CD drive on the computer,and <mount_point_dir> is the directory that is acting as the mount point. Forexample:

/usr/sbin/pfs_mount /dev/dsk/c0t0d0 /SD_CDROM

The CD is now mounted and you can install IBM Tivoli Directory Server.

Unmounting the CDTo unmount and eject the CD:

1. Be sure that no processes are using the CD.

2. Unmount the CD. Type the following command:

/usr/sbin/pfs_umount /SD_CDROM

Where /SD_CDROM is the mount point.

3. Eject the CD.

Note: If the CD fails to eject, type the following command:

/usr/sbin/pfs_umount -c <CD_device_name>

For example:

/usr/sbin/pfs_umount -c /dev/dsk/c0t0d0

Then eject the CD.

The idsldap user and group

During installation of a server, the idsldap user and group are created if they donot already exist. If your environment requires that you have more control overthis user and group, you can create them before you install. Requirements are:

v The idsldap user must be a member of the idsldap group.

v The root user must be a member of the idsldap group.

v The idsldap user must have a home directory.

v The default shell for the idsldap user must be the Korn shell.

v The idsldap user can have a password, but is not required to.

v The idsldap user can be the owner of the director server instance.

You can use the Instance Administration Tool to create users and groups as you arecreating a directory server instance, or you can use the following commands tocreate the user idsldap and the group idsldap and set them up correctly:




On AIX systems:Use the following commands.

To create the idsldap group:

mkgroup idsldap

To create user ID idsldap, which is a member of group idsldap, and set the

korn shell as the default shell:mkuser pgrp=idsldap home=/home/idsldap shell=/bin/ksh idsldap

To set the password for user idsldap:

passwd idsldap

To modify the root user ID so that root is a member of the group idsldap:

/usr/bin/chgrpmem -m + root idsldap

On Linux systems:Use the following commands.


groupadd idsldap

To create user ID idsldap, which is a member of group idsldap, and set thekorn shell as the default shell:

useradd -g idsldap -d /home/idsldap -m -s /bin/ksh idsldap


passwd idsldap

To modify the root user ID so that root is a member of the group idsldap:

usermod -G idsldap,rootgroups root

where rootgroups can be obtained by using the command: groups root

On Solaris systems:Use the following commands.


groupadd idsldap


useradd -g idsldap -d /export/home/idsldap -m -s /bin/ksh idsldap


passwd idsldap

To modify the root user ID so that root is a member of the group idsldap,use the AdminTool or another appropriate tool.

On HP-UX systems:Use the following commands.


groupadd idsldap


Chapter 5. Considerations before you install on AIX, Linux, Solaris, and HP-UX systems 23



useradd -g idsldap -d /home/idsldap -m -s /bin/ksh idsldap


passwd idsldap

To modify the root user ID so that root is a member of the group idsldap,use the sam tool or another appropriate tool.

Be sure that all these requirements are met before you install. The proxy serverdoes not install correctly if the idsldap user exists but does not meet therequirements.

Note: For information about requirements for other user IDs you must create, seeAppendix D, “Setting up users and groups: directory server instance owner,database instance owner, and database owner,” on page 161.

Installation path on AIX, Linux, Solaris, and HP-UX platforms

IBM Tivoli Directory Server is installed in the following path:

On AIX, Solaris, and HP-UX systems:/opt/IBM/ldap/V6.1

On Linux systems:/opt/ibm/ldap/V6.1

Using commands to set and remove links

Links for client and server utilities are not set automatically during installation.However, if you are upgrading from Tivoli Directory Server 6.0 and you have linksset to the utilities, these links will remain unless you change them.

You can use the idslink utility to set the links to Tivoli Directory Server 6.1

command-line utilities such as idsldapmodify and idsldapadd and libraries suchas libibmldap.so. These links point to the location where the IBM Tivoli DirectoryServer 6.1 utilities and libraries reside: installpath/bin, installpath/sbin, andinstallpath/lib. (installpath is the directory where IBM Tivoli Directory Server 6.1 isinstalled. To remove the links set by the idslink utility, you can use the idsrmlinkutility.

For more information about these commands, see the IBM Tivoli Directory Serverversion 6.1 Command Reference.




Chapter 6. Installing IBM Tivoli Directory Server using theInstallShield GUI

You can use the InstallShield GUI to install IBM Tivoli Directory Server. If you donot want to use the InstallShield GUI to install, this book contains a manualinstallation procedure for each operating system in separate chapters. For example,see Chapter 7, “Installing IBM Tivoli Directory Server using AIX utilities,” on page49.

If you install IBM Tivoli Directory Server using the InstallShield GUI, you mustalso uninstall using the InstallShield GUI. This is also true for installation of corequisite products such as DB2, Embedded WebSphere Application Server, andGSKit. See “Uninstalling IBM Tivoli Directory Server using the InstallShield GUI”on page 141 for instructions for removing IBM Tivoli Directory Server using theInstallShield GUI.

Before you installBe sure that the requirements for your operating system are met before you begininstallation. See IBM Tivoli Directory Server version 6.1 System Requirements forinformation.

Before installing, be sure that the following conditions are met. If these conditionsare not met, the installation program will exit.

v If you are upgrading from a previous release (IBM Directory Server 4.1 or 5.1,or IBM Tivoli Directory Server 5.2 or 6.0):

Use the instructions in Chapter 3, “Upgrading from previous releases,” on page11 to migrate your data and install IBM Tivoli Directory Server 6.1.

vIf you have a version of DB2 that is not supported installed on your computerand you are not upgrading from a previous release of IBM Tivoli DirectoryServer:

Upgrade your DB2 version to a supported version, or remove DB2. DB2 9 FixPack 2 (or DB2 9 Fix Pack 1 for Solaris Opteron only) is included with IBMTivoli Directory Server. If you do not have a version of DB2 on your system, theInstallShield GUI installs it if you choose to install the full server.

v The server and the client from IBM Tivoli Directory Server 6.1 can coexist withthe following clients and servers:

– A client from any of the following:

- IBM Directory Server 4.1


- IBM Tivoli Directory Server 5.2


– A server from IBM Tivoli Directory Server 6.0

If any of these are installed, you can leave them installed.

However, links on AIX, Linux, Solaris, and HP-UX systems for Tivoli DirectoryServer 6.1 libraries and commands are not set. If you want to set links to TivoliDirectory Server libraries and commands, use the idslink command. See theIBM Tivoli Directory Server Version 6.1 Command Reference for information aboutthe command.




On Windows systems, the path is not set to include the directories where theTivoli Directory Server 6.1 libraries and commands reside. This means that whenusing the command line, you must type the full path to the command or go tothe subdirectory where the command resides before typing the command.Otherwise, the command will not be found. As an alternative, you can updateyour PATH environment variable to include the following Tivoli DirectoryServer 6.1 subdirectories:

– <installpath>\sbin

– <installpath>\bin

– <installpath>\lib

(By default, <installpath> on Windows systems is C:\Program Files\IBM\LDAP\V6.1.)

If you have more than one version of Tivoli Directory Server installed and youset the path to find commands for one version of Tivoli Directory Server, youmust type the full path or go to the subdirectory where the command resides if you want to issue a command for another version of Tivoli Directory Server.

v If you have the Web Administration Tool from IBM Directory Server 5.1 or IBMTivoli Directory Server 5.2 or 6.0 installed and you want to migrate it, leave the

embedded version of WebSphere Application Server - Express installed with theWeb Administration Tool deployed into it. The IBM Tivoli Directory Server 6.1Web Administration Tool does not work with earlier versions of EmbeddedWebSphere Application Server. (You can uninstall the old version of embeddedversion of WebSphere Application Server - Express later.)

v On Windows systems, if you are installing the proxy server or the full server, theAdministrators group provided with the Windows operating system must exist.

v On Windows systems, be sure that you have at least 255 MB of free space in thedirectory specified by the TEMP environment variable or the directory you wantto use as a temporary directory. If you use a temporary directory and you areinstalling any of the corequisite products (IBM Tivoli Directory Integrator,Embedded WebSphere Application Server, or DB2) be sure that you have 150

MB in the directory specified by the TEMP environment variable.v On AIX and Linux systems, be sure that you have at least 300 MB of free space

in the /tmp directory or the directory you want to use as a temporary directory.If you use a temporary directory and you are installing any of the corequisiteproducts (IBM Tivoli Directory Integrator, Embedded WebSphere ApplicationServer, or DB2) be sure that you have 150 MB in the /tmp directory.

v On Solaris and HP-UX systems, be sure that you have at least 400 MB of freespace in the /tmp directory or the directory you want to use as a temporarydirectory. If you use a temporary directory and you are installing any of thecorequisite products (IBM Tivoli Directory Integrator, Embedded WebSphereApplication Server, or DB2) be sure that you have 150 MB in the /tmp directory.

v On AIX, Linux, Solaris, and HP-UX systems, if you install IBM Tivoli Directory

Integrator, the InstallShield GUI installation program incorrectly assumes theDeployment Engine necessary for IBM Tivoli Directory Integrator will beinstalled into the /opt directory, when it will actually be installed into the /usrdirectory. If /opt is in a different partition than /usr, the space calculation mightnot be correct. Be sure that the /usr directory has at least 200 MB of free spaceon AIX and Linux systems, and 300 MB of free space on Solaris and HP-UXsystems if you are installing IBM Tivoli Directory Integrator.

Installing IBM Tivoli Directory Server on a Windows system

There are two installation paths in the InstallShield GUI: Typical and Custom.




v Use the Typical installation path if you want to accept default settings, install allthe IBM Tivoli Directory Server components that are not already installed, andcreate a default directory server instance.

v Use the Custom installation path if you want to select components forinstallation and create a directory server instance using the InstanceAdministration Tool. When you use this tool you can customize the directoryserver instance.

Installing with the Typical installation path on Windowssystems

To install IBM Tivoli Directory Server 6.1 using the Typical installation path:

1. Be sure that you are logged on as any member of the Administrators group.

2. On the computer where you are installing IBM Tivoli Directory Server, stopany programs that are running and close all windows. If you have openwindows, the initial IBM Tivoli Directory Server installation window might behidden behind other windows.

3. If you are installing from a CD:

a. Insert CD 1 in your CD-ROM drive.

b. Go to the drive for your CD-ROM, and then go to the \tds folder.

If you are installing from downloaded .zip files, go to the folder where youunzipped the downloaded .zip files, and then go to the tdsV6.1\tds folder.

4. Double-click the install_tds.bat icon.

If you prefer, you can use the command line to begin installation and specifya temporary directory other than the one specified by the TEMP environmentvariable. To use this option, go to the appropriate directory (from step 3) andtype the following at a command prompt:

install_tds.bat -is:tempdir directory

where directory is the directory you want to use for temporary space. Be sure

that you have at least 255 MB of free space in this directory. If you areinstalling any of the corequisite products (IBM Tivoli Directory Integrator,Embedded WebSphere Application Server, or DB2) be sure that you also have150 MB in the directory specified by the TEMP environment variable.

For example:

install_tds.bat -is:tempdir "c:\My Documents\temp"

The language window is displayed.

Note: If the installation program exits without displaying the languagewindow, it might be because there is not enough space in the directoryspecified by the TEMP environment variable or the directory youspecified for temporary space. Be sure that you have at least 255 MB of

free space in this directory.5. Select the language you want to use during IBM Tivoli Directory Server

installation. Click OK.

Note: This is the language used in the installation program, not in IBM TivoliDirectory Server. The language used in IBM Tivoli Directory Server isdetermined by the language pack you install.

6. On the Welcome window, click Next.

7. After reading the Software license agreement, select I accept both the IBMand the non-IBM terms. Click Next.

Chapter 6. Installing IBM Tivoli Directory Server using the InstallShield GUI 27



8. If you have any components already installed, they are displayed with theircorresponding version levels. Click Next.

9. To install in the default directory, click Next. You can specify a differentdirectory by clicking Browse or typing the directory path you want. Thedirectory will be created if it does not exist. (The default installation directoryis C:\Program Files\IBM\LDAP\V6.1.)

Notes:a. If you have already installed one or more language packs, the installation

location is set to the path where you installed the language packs, and youare not asked where you want to install.

b. Be sure that the installation location is not the same as the path whereanother version of the client or the server is installed.

c. Do not use special characters, such as hyphen (-) and period (.) in thename of the installation directory. For example, use ldapdir rather thanldap-dir or ldap.dir.

10. Click Typical.

11. If DB2 is being installed, a window is displayed prompting you to enter aWindows user ID and password for the DB2 system ID. On the window:

a. Type the user ID. This user ID must not be the user ID you intend to useas the owner of the directory server instance.

If you are not using an existing user ID, DB2 creates the user ID youspecify with the password you type. This is the preferred method.

Note: If you are creating a new user ID and your system has "Passwordmust meet complexity requirements" enabled, be sure that thepassword you supply meets the complexity requirements. If it doesnot, installation will fail. See the Windows documentation forinformation about complexity requirements.

If you are using an existing Windows user ID, it must be a member of theAdministrators group.

b. Type the password, and then type the password again for verification. (If you are using an existing Windows user ID, be sure that your password iscorrect. Otherwise, DB2 does not install correctly.)

c. Click Next.

12. The installation program now has enough information to begin installing. Asummary window displays the components that will be installed, theinstallation locations, and the amount of disk space required. The Typicalinstallation path installs all features that are not already installed. If you wantto install different features, you must click Back until you reach the windowwhere you selected Typical installation, and select Custom installation instead.Then use the instructions in “Installing with the Custom installation path onWindows systems” on page 30. Typical installation does not allow you toselect features for installation.

Click Install to begin installation.

Progress windows are displayed as features are installed.

If you are installing from CDs, you are prompted to insert different CDsduring the installation. Be sure to follow the instructions carefully and insertthe correct CDs, or installation will not proceed correctly and unpredictableresults might occur.




Confirm seedType the encryption seed string again for confirmation.

Administrator DN passwordType a password for the administrator DN for the directory serverinstance. (The Administrator DN for the default directory instance iscn=root.)

Confirm DN passwordType the administrator DN password again for confirmation.

Click Next when you have completed all the fields.

14. Click Finish.

Note: If you are asked if you want to restart your computer now or later,select the option you want and click Finish. (You might need to restartyour system to complete IBM Tivoli Directory Server installation. Youare unable to use IBM Tivoli Directory Server until this is completed.)

If your computer is restarted, log in using the same user ID that you

used to install IBM Tivoli Directory Server.If you installed DB2, the DB2 First Steps GUI might be started. You can gothrough the DB2 First Steps or close this GUI.

Note: A license subdirectory is created in the directory where IBM Tivoli DirectoryServer is installed. This subdirectory contains IBM Tivoli Directory Serverlicense files in all provided languages.

The Instance Administration Tool starts. You can use the Instance AdministrationTool to add more directory server instances or edit existing directory serverinstances. See Chapter 12, “Creating and administering instances,” on page 93 forinstructions.

To make changes to your configuration at a later time, see Chapter 13,“Configuration,” on page 111 for more information about using the ConfigurationTool.

If any errors occurred during installation, instance creation, or configuration, seethe information in the IBM Tivoli Directory Server version 6.1 Problem DeterminationGuide for information about recovering from these errors.

Installing with the Custom installation path on Windowssystems

To install IBM Tivoli Directory Server 6.1 on a Windows system using the Custominstallation path:

1. Be sure that you are logged on as any member of the Administrators group.

2. On the computer where you are installing IBM Tivoli Directory Server, stopany programs that are running and close all windows. If you have openwindows, the initial IBM Tivoli Directory Server installation window might behidden behind other windows.



b. Go to the drive for your CD-ROM, and then go to the \tds folder.




If you are installing from downloaded .zip files, go to the folder where youunzipped the downloaded .zip files, and then go to the tdsV6.1\tds folder.

4. Double-click the install_tds.bat icon.

If you prefer, you can use the command line to begin installation and specifya temporary directory other than the one specified by the TEMP environmentvariable. To use this option, go to the appropriate directory (from step 3 on

page 27) and type the following at a command prompt:install_tds.bat -is:tempdir directory

where directory is the directory you want to use for temporary space. Be surethat you have at least 255 MB of free space in this directory. If you areinstalling any of the corequisite products (IBM Tivoli Directory Integrator,Embedded WebSphere Application Server, or DB2) be sure that you also have150 MB in the directory specified by the TEMP environment variable.

For example:



Note: If the installation program exits without displaying the languagewindow, it might be because there is not enough space in the directoryspecified by the TEMP environment variable or the directory youspecified for temporary space. Be sure that you have at least 255 MB of free space in this directory.

5. Select the language you want to use during IBM Tivoli Directory Serverinstallation. Click OK.





9. To install in the default directory, click Next. You can specify a differentdirectory by clicking Browse or typing the directory path you want. Thedirectory will be created if it does not exist. (The default installation directoryis C:\Program Files\IBM\LDAP\V6.1.)

Notes:

a. If you have already installed one or more language packs, the installationlocation is set to the path where you installed the language packs, and youare not asked where you want to install.

b. Be sure that the installation location is not the same as the path whereanother version of the client is installed.


10. Click Custom and then click Next.

If the window in the following step is very slow to be displayed, you might have aslow network drive attached. You can detach the network drive and see if thewindow is displayed more quickly.




11. A window showing the following components for installation is displayed:

v Tivoli Global Security Kit

v DB2 V9.1

v Embedded WebSphere Application Server

v C Client 6.1

v Java Client 6.1

v Web Administration Tool 6.1

v Proxy Server 6.1

v Server 6.1

v Tivoli Directory Integrator

You can choose to reinstall the server, the client, or the Web AdministrationTool if they were previously installed.

Notes:

a. The installpath\bin, installpath\sbin, and installpath\lib directories are notadded to the Path environment variable. This allows IBM Tivoli DirectoryServer 6.1 to coexist with IBM Tivoli Directory Server 6.0.

b. If the Web Administration Tool is installed, Directory Services MarkupLanguage (DSML) files are also copied to your computer. See Appendix M,“Installing and configuring DSML,” on page 185 for information aboutinstalling and configuring DSML.

c. If the Web Administration Tool is installed, a Web application server isrequired to run the tool, and Embedded WebSphere Application Server6.1.0.7 is installed and configured for you. If version 5.0, 5.0.2, or 5.1.1 of Embedded WebSphere Application Server is already installed, theInstallShield GUI installation program automatically migrates it to version6.1.0.7. Any configuration files from the previous Web Administration Toolare backed up and restored. If you want to use another WebSphereapplication server, you must select a Web application server.

When Embedded WebSphere Application Server is installed and anapplication (such as the Web Administration tool or the IBM TivoliDirectory Integrator Administration and Monitoring Console) is installedinto Embedded WebSphere Application Server, the Embedded WebSphereApplication Server server for that application is also installed as a service.

d. The copy of IBM Tivoli Directory Integrator provided includes the IBMTivoli Directory Integrator Server and the IBM Tivoli Directory IntegratorAdministration and Monitoring Console. The IBM Tivoli DirectoryIntegrator Configuration Editor, which is used to develop assembly linesand event handlers, is not included as part of IBM Tivoli Directory Server.If you want the full version of IBM Tivoli Directory Integrator, purchaseIBM Tivoli Directory Integrator 6.1.1, which includes all the features of IBM Tivoli Directory Integrator.

If you install a server, you must install IBM Tivoli Directory Integrator if you want to do any of the following:

v Use the idssupport tool, which gathers information from your systemthat you can supply to IBM Software Support if you encounterproblems, or the log management tool (idslogmgmt).

You can find information about the support tool and the logmanagement tool in the IBM Tivoli Directory Server version 6.1 ProblemDetermination Guide.





v Use the Active Directory synchronization feature.

You can find information about SNMP and Active Directorysynchronization in the IBM Tivoli Directory Server version 6.1 Administration Guide for information.

This window also indicates the amount of disk space required and availableon the selected drive.

Be sure the components you want to install are selected, and click Next.12. If you selected Server 6.1 but not DB2 V9.1 and there are multiple versions of

DB2 (such as versions 8 and 9) on the system, you are asked to select theversion of DB2 you want to use with Tivoli Directory Server 6.1.

13. If you selected DB2 V9.1, a window is displayed prompting you to enter aWindows user ID and password for the DB2 system ID. On the window:



Note: If you are creating a new user ID and your system has "Password

must meet complexity requirements" enabled, be sure that thepassword you supply meets the complexity requirements. If it doesnot, installation will fail. See the Windows documentation forinformation about complexity requirements.


b. Type the password, and then type the password again for verification. (If you are using an existing Windows user ID, be sure that your password iscorrect. Otherwise, DB2 does not install correctly.)

c. Click Next.

14. The Web Administration Tool 6.1 and Tivoli Directory Integrator 6.1 areapplications that require a Web application server. If you selected WebAdministration Tool 6.1, Tivoli Directory Integrator, or both, but you did notselect Embedded WebSphere Application Server, a window is displayed foreach of the applications you selected asking you to specify a Web applicationserver into which to deploy the application. You can do one of the following:

v Click Detected WebSphere Application Servers and then select aWebSphere Application Server that is installed on the system and detected

by the InstallShield GUI installation program. The application will bedeployed into this version of WebSphere Application Server.

v Click Custom location of WebSphere Application Server to specify a pathto a version of WebSphere Application Server in a different location. Theapplication will be deployed into this version of WebSphere ApplicationServer.

v Click Do not specify. I will manually deploy at a later time. You mustdeploy the application into a WebSphere Application Server before you canuse the application.

15. The installation program now has enough information to begin installing. Asummary window displays the components you selected and the locationswhere the selected components will be installed. Click Back to change any of your selections. Click Install to begin installation.





Note: After installation has begun, do not try to cancel the installation. If youinadvertently cancel the installation, see the information about

recovering from a failed installation in the IBM Tivoli Directory Serverversion 6.1 Problem Determination Guide before you attempt to reinstall.

16. If you are asked if you want to restart your computer now or later, select theoption you want and click Finish. (You might need to restart your system tocomplete IBM Tivoli Directory Server installation. You are unable to use IBMTivoli Directory Server until this is completed.)

If your computer is restarted, log in using the same user ID that you used toinstall IBM Tivoli Directory Server.

If you installed DB2, the DB2 First Steps GUI might be started. You can gothrough the DB2 First Steps or close this GUI.

Note: A license subdirectory is created in the directory where IBM Tivoli Directory

Server is installed. This subdirectory contains IBM Tivoli Directory Serverlicense files in all provided languages.

If you installed a server, the Instance Administration Tool automatically starts sothat you can create a directory server instance and complete configuration. Beforeyou can use the server, you must:

v Create a directory server instance.

v Set the administrator DN and password for the instance.

v If you installed and plan to use the full server, configure the database that willstore the directory data. (The proxy server does not require a database.)

To create a directory server instance, use the instructions in “Creating a directory

server instance” on page 94. You can set the administrator DN and password andconfigure the database during the instance creation process.


If any errors occurred during installation, instance creation, or configuration, seethe information IBM Tivoli Directory Server version 6.1 Problem Determination Guidefor information about recovering from these errors.

Installing IBM Tivoli Directory Server on an AIX, Linux, Solaris, or

HP-UX systemIBM Tivoli Directory Server is installed in the following directory:

v On AIX, Solaris and HP-UX systems: /opt/IBM/ldap/V6.1

v On Linux systems: /opt/ibm/ldap/V6.1

There are two installation paths in the InstallShield GUI: Typical and Custom.

v Use the Typical installation path if you want to accept default settings, install allthe IBM Tivoli Directory Server components that are not already installed, andcreate a default directory server instance.




v Use the Custom installation path if you want to select components forinstallation and create a directory server instance using the InstanceAdministration Tool. When you use this tool you can customize the directoryserver instance.

Installing with the Typical installation path on AIX, Linux,

Solaris, and HP-UX systemsTo install IBM Tivoli Directory Server 6.1 on an AIX, Linux, Solaris, or HP-UXsystem using the Typical installation path:

1. Log in as root.

2. If you are installing from a CD, insert and mount CD 1 in your CD-ROMdrive, and then change directories to the /tds directory on the CD.

If you are installing from downloaded .tar files, go to the /tdsV6.1/tdssubdirectory of the directory where you untarred the downloaded .tar files.

Notes:

a. If you are installing from CDs on a Solaris 9 system, be sure to see“Mounting and unmounting the CD on Solaris 9 systems” on page 21.

b. If you are installing from CDs on an HP-UX system, be sure to see“Mounting and unmounting the CD on HP-UX systems” on page 21.

3. Type ./install_tds.sh

If you prefer, you can specify a temporary directory other than the systemtemporary directory. To use this option, change directories to the appropriatedirectory (from step 2) and type the following at a command prompt:

./install_tds.sh -is:tempdir directory

where directory is the directory you want to use for temporary space. Be surethat you have at least 300 MB of free space in this directory on AIX and Linuxsystems, and 400 MB on Solaris and HP-UX systems. If you are installing anyof the corequisite products (IBM Tivoli Directory Integrator, Embedded

WebSphere Application Server, or DB2) be sure that you also have 150 MB inthe /tmp directory.

For example:

./install_tds.sh -is:tempdir /opt/tmp

A language window is displayed.






8. Click Typical.

9. The installation program now has enough information to begin installing. Asummary window displays the components that will be installed, theinstallation locations, and the amount of disk space required. The Typicalinstallation path installs all features that are not already installed. If you wantto install different features, you must click Back until you reach the window




where you selected Typical installation, and select Custom installation instead.Then use the instructions in “Installing with the Custom installation path onAIX, Linux, Solaris, and HP-UX systems” on page 37. Typical installation doesnot allow you to select features for installation.

Click Install to begin installation.

Progress windows are displayed as features are installed.


Notes:

a. If the Web Administration Tool is installed, Directory Services MarkupLanguage (DSML) files are also copied to your computer. See Appendix M,“Installing and configuring DSML,” on page 185 for information aboutinstalling and configuring DSML.

b. If the Web Administration Tool is installed, a Web application server isrequired to run the tool, and Embedded WebSphere Application Server6.1.0.7 is installed and configured for you. If version 5.0, 5.0.2, or 5.1.1 of

Embedded WebSphere Application Server is already installed, theInstallShield GUI installation program automatically migrates it to version6.1.0.7. Any configuration files from the previous Web Administration Toolare backed up and restored. If you want to use another WebSphereapplication server, you must use Custom installation to select a Webapplication server.

c. Because different versions of IBM Tivoli Directory Server clients and serverinstances can coexist on the same system, no links are set for client andserver utilities. If you want to set links, use the idslink command afterinstallation. See the IBM Tivoli Directory Server version 6.1 CommandReference for information about the idslink command and the idsrmlinkcommand, which you can use to remove previously set links.

Note: After installation has begun, do not try to cancel the installation. If youinadvertently cancel the installation, see the information aboutrecovering from a failed installation in the IBM Tivoli Directory Serverversion 6.1 Problem Determination Guide before you attempt to reinstall.

10. The Typical installation path creates the default directory server instance withthe following information, which you cannot change:

Name: idsinst (On Solaris systems, this directory is /export/home/idsinst.)Instance location: /home/idsinstGroup name: dbsysadmAdministrator DN: cn=rootDatabase name: idsdb

In addition, the o=sample suffix is created for the default directory serverinstance. You can add other suffixes later with the Configuration Tool or theidscfgsuf command. See “Managing suffixes” on page 121 for information.

Type the following additional information about the default directory serverinstance in the appropriate fields:

User passwordType the system password for user idsinst. If this user does not existon the system, the user ID will be created with the password youspecify. If the user ID already exists, be sure to type the correctpassword for the user.




Confirm passwordType the password again for confirmation.

Encryption seedType an encryption seed string (used as a seed for generatingencrypted stash files). The string can use characters a-z, A-Z, or 0-9.This string must be a minimum of 12 characters and a maximum of

1016 characters.Confirm seed

Type the encryption seed string again for confirmation.

Administrator DN passwordType a password for the administrator DN for the directory serverinstance. (The Administrator DN for the default directory instance iscn=root.)

Confirm DN passwordType the administrator DN password again for confirmation.

Click Next when you have completed all the fields.

11. Click Finish.If you installed DB2, the DB2 First Steps GUI might be started. You can gothrough the DB2 First Steps or close this GUI.


The Instance Administration Tool starts. You can use the Instance AdministrationTool to add more directory server instances or edit existing directory serverinstances. See Chapter 12, “Creating and administering instances,” on page 93 forinstructions.


If any errors occurred during installation, instance creation, or configuration, seethe information in the IBM Tivoli Directory Server version 6.1 Problem DeterminationGuide for information about recovering from these errors.

Installing with the Custom installation path on AIX, Linux,Solaris, and HP-UX systems

To install IBM Tivoli Directory Server 6.1 on AIX, Linux, Solaris, and HP-UXsystems using the Custom installation path:

1. Log in as root.

2. If you are installing from a CD, insert CD 1 in your CD-ROM drive, and thenchange directories to the /tds directory on the CD.

Notes:

a. If you are installing from CDs on a Solaris 9 system, be sure to see“Mounting and unmounting the CD on Solaris 9 systems” on page 21.

b. If you are installing from CDs on an HP-UX system, be sure to see“Mounting and unmounting the CD on HP-UX systems” on page 21.




If you are installing from downloaded .tar files, go to the /tdsV6.1/tdssubdirectory of the directory where you untarred the downloaded .tar files.

3. Type ./install_tds.sh

If you prefer, you can specify a temporary directory other than the systemtemporary directory. To use this option, change directories to the appropriatedirectory (from step 2 on page 37) and type the following at a command

prompt:./install_tds.sh -is:tempdir directory

where directory is the directory you want to use for temporary space. Be surethat you have at least 100 MB of free space in this directory. Be sure that youhave at least 300 MB of free space in this directory on AIX and Linux systems,and 400 MB on Solaris and HP-UX systems. If you are installing any of thecorequisite products (IBM Tivoli Directory Integrator, Embedded WebSphereApplication Server, or DB2) be sure that you also have 150 MB in the /tmpdirectory.

For example:


A language window is displayed.4. Select the language you want to use during IBM Tivoli Directory Server

installation. Click OK.





8. Click Custom and then click Next.




v DB2 V9.1


v C Client 6.1

v Java Client 6.1

v Web Administration Tool 6.1v Proxy Server 6.1

v Server 6.1


Components that are already installed are not displayed.




Using the InstallShield GUI to install and upgrade to Tivoli Directory

Server 6.1

If you have a server from IBM Directory Server 4.1 or 5.1 or IBM Tivoli DirectoryServer 5.2 or 6.0, you can use the InstallShield GUI to install Tivoli DirectoryServer 6.1 without uninstalling the previous version first.

If the server is a 4.1, 5.1 or 5.2 server, it will be automatically upgraded to version6.1 and the previous version of Tivoli Directory Server will be uninstalled. (Servers

before the 6.0 release cannot coexist on a system with Tivoli Directory Server 6.1.)

A 6.0 directory server instance can coexist with a 6.1 directory server instance; if you have a 6.0 directory server instance, it will not be automatically upgradedwhen you install Tivoli Directory Server 6.1, but you can migrate the directoryserver instance to 6.1 at the end of installation if you choose to. You can keep the6.0 directory server instance and also create one or more 6.1 directory serverinstances.

Be sure that you have followed the instructions in Chapter 3, “Upgrading from

previous releases,” on page 11.Notes:

1. If the version of DB2 on your system is before DB2 V8, you must upgrade yourDB2 to V8 or V9 before you begin installation.

2. If you want to install a language pack for a language other than English, installit before you upgrade. See Chapter 4, “Installing language packs using theInstallShield GUI,” on page 17 for instructions.

To install IBM Tivoli Directory Server 6.1 on a system that has a 4.1, 5.1, 5.2, or 6.0version of Tivoli Directory Server with a server from that version:

1. Stop the previous version server and the administration server.

2.Start the InstallShield GUI installation program:v On Windows systems:

a. Be sure that you are logged on as a member of the Administratorsgroup.

b. On the computer where you are installing IBM Tivoli Directory Server,stop any programs that are running and close all windows. If you haveopen windows, the initial IBM Tivoli Directory Server installationwindow might be hidden behind other windows.

c. If you are installing from a CD:

1) Insert CD 1 in your CD-ROM drive.

2) Go to the drive for your CD-ROM, and then go to the \tds folder.

If you are installing from downloaded .zip files, go to the folder whereyou unzipped the downloaded .zip files, and then go to the tdsV6.1\tdsfolder.

d. Double-click the install_tds.bat icon.

If you prefer, you can use the command line to begin installation andspecify a temporary directory other than the one specified by the TEMPenvironment variable. To use this option, go to the appropriate directory(from the previous step) and type the following at a command prompt:

install_tds.bat -is:tempdir directory




where directory is the directory you want to use for temporary space. Besure that you have at least 255 MB of free space in this directory. If youare installing any of the corequisite products (IBM Tivoli DirectoryIntegrator, Embedded WebSphere Application Server, or DB2) be surethat you also have 150 MB in the directory specified by the TEMPenvironment variable.

For example:



Note: If the installation program exits without displaying the languagewindow, it might be because there is not enough space in thedirectory specified by the TEMP environment variable or thedirectory you specified for temporary space. Be sure that youhave at least 255 MB of free space in this directory.

v On AIX, Linux, Solaris, and HP-UX systems:

a. Be sure that you are logged on as the root user.

b. If you are installing from a CD, insert CD 1 in your CD-ROM drive, and

then change directories to the /tds directory on the CD.Notes:

1) If you are installing from CDs on a Solaris 9 system, be sure to see“Mounting and unmounting the CD on Solaris 9 systems” on page21.

2) If you are installing from CDs on an HP-UX system, be sure to see“Mounting and unmounting the CD on HP-UX systems” on page 21.

If you are installing from downloaded .tar files, go to the /tdsV6.1/tdssubdirectory of the directory where you untarred the downloaded .tarfiles.

c. Type ./install_tds.sh

If you prefer, you can specify a temporary directory other than thesystem temporary directory. To use this option, change directories to theappropriate directory (from the previous step) and type the following ata command prompt:

./install_tds.sh -is:tempdir directory

where directory is the directory you want to use for temporary space. Besure that you have at least 300 MB of free space in this directory on AIXand Linux systems, and 400 MB on Solaris and HP-UX systems. If youare installing any of the corequisite products (IBM Tivoli DirectoryIntegrator, Embedded WebSphere Application Server, or DB2) be surethat you also have 150 MB in the /tmp directory.

For example:


A language window is displayed.








6. Installed components from the previous version are displayed with theircorresponding version levels. In addition, the DB2 instance from the previousinstance is displayed. Click Next.

7. On Windows systems only, to install in the default directory, click Next. You

can specify a different directory by clicking Browse or typing the directorypath you want. The directory will be created if it does not exist. (The defaultinstallation directory is C:\Program Files\IBM\LDAP\V6.1.)

Notes:

a. If you have already installed one or more language packs, the installationlocation is set to the path where you installed the language packs, and youare not asked where you want to install.

b. Be sure that the installation location is not the same as the path whereanother version of the client is installed.





v DB2 V9.1


v C Client 6.1

v Java Client 6.1

v Web Administration Tool 6.1

v Proxy Server 6.1

v Server 6.1


Notes:

a. On Windows systems only, if you install IBM Tivoli Directory Integrator,the Path environment variable is updated by adding theinstallpath\java\bin directory to the beginning of the existing path.(installpath is the directory where you installed IBM Tivoli DirectoryServer.)

b. On Windows systems only, the installpath\bin, installpath\sbin, andinstallpath\lib directories are not added to the Path environment variable.

This allows IBM Tivoli Directory Server 6.1 to coexist with IBM TivoliDirectory Server 6.0.

c. If the Web Administration Tool is installed, Directory Services MarkupLanguage (DSML) files are also copied to your computer. See Appendix M,“Installing and configuring DSML,” on page 185 for information aboutinstalling and configuring DSML.

d. If the Web Administration Tool is installed, a Web application server isrequired to run the tool, and Embedded WebSphere Application Server6.1.0.7 is installed and configured for you. If version 5.0, 5.0.2, or 5.1.1 of Embedded WebSphere Application Server is already installed, the




InstallShield GUI installation program automatically migrates it to version6.1.0.7. Any configuration files from the previous Web Administration Toolare backed up and restored. If you want to use another WebSphereapplication server, you must select a Web application server.

When Embedded WebSphere Application Server is installed and anapplication (such as the Web Administration tool or the IBM TivoliDirectory Integrator Administration and Monitoring Console) is installedinto Embedded WebSphere Application Server, the Embedded WebSphereApplication Server server for that application is also installed as a service.

e. If you install a server, you must install IBM Tivoli Directory Integrator if you want to do any of the following:

v Use the idssupport tool, which gathers information from your systemthat you can supply to IBM Software Support if you encounterproblems, or the log management tool (idslogmgmt).

You can find information about the support tool and the logmanagement tool in the IBM Tivoli Directory Server version 6.1 ProblemDetermination Guide.


v

Use the Active Directory synchronization feature.You can find information about SNMP and Active Directorysynchronization in the IBM Tivoli Directory Server version 6.1 Administration Guide for information.

Note: IBM Tivoli Directory Integrator is not provided for Solaris X64 orHP-UX Integrity systems.

This window also indicates the amount of disk space required and availableon the selected drive.

Be sure the components you want to install are selected, and click Next.

9. If you selected Server 6.1 but not DB2 V9.1 and there are multiple versions of DB2 (such as versions 8 and 9) on the system, you are asked to select the

version of DB2 you want to use with Tivoli Directory Server 6.1.10. On Windows systems only, if you selected DB2 V9.1, a window is displayed

prompting you to enter a Windows user ID and password for the DB2 systemID. On the window:




b. Type the password, and then type the password again for verification. (If

you are using an existing Windows user ID, be sure that your password iscorrect. Otherwise, DB2 does not install correctly.)

c. Click Next.

11. The Web Administration Tool 6.1 and Tivoli Directory Integrator areapplications that require a Web application server. If you selected the WebAdministration Tool 6.1 or Tivoli Directory Integrator component or both,

but you did not select Embedded WebSphere Application Server, a windowis displayed for each of the applications you selected asking you to specify aWeb application server into which to deploy the application. You can do oneof the following:




Record the encryption seed in a secure location.

v Optionally, type a description of the directory server instance in theInstance description field. This description is displayed in other windowsto help identify the instance.

Click Next.

Note: If the previous version on your system is Tivoli Directory Server 6.0,directory server instances are not upgraded automatically.

14. On Windows systems only, if you are asked if you want to restart yourcomputer now or later, select the option you want and click Finish. (Youmight need to restart your system to complete IBM Tivoli Directory Serverinstallation. You are unable to use IBM Tivoli Directory Server until this iscompleted.)

If your computer is restarted, log in using the same user ID that you used toinstall IBM Tivoli Directory Server.

If you installed DB2, the DB2 First Steps GUI might be started. You can gothrough the DB2 First Steps or close this GUI.


On systems that had a 4.1, 5.1, or 5.2 version of Tivoli Directory Server:

v The old version of Tivoli Directory Server is uninstalled and Tivoli DirectoryServer version 6.1 is installed. Your previous directory server is migrated to a 6.1directory server instance with the name, location, and encryption seed youspecified in step 13 on page 45.

v Your previous configuration and schema files are migrated to 6.1 versions.

v If your previous database was 32-bit and the new database is 64-bit, thedatabase is expanded to 64-bit. When the server is started for the first time, the

directory data is migrated.v If you installed a server, the Instance Administration Tool automatically starts.

You can use this tool to view information about the 6.1 directory server instance.If the upgrade was successful, the directory server instance is created andconfigured and does not need any further setup.

On systems that had Tivoli Directory Server 6.0 installed:

v Tivoli Directory Server 6.1 is installed and Tivoli Directory Server 6.0 is left onthe system.

v If you installed a server, the Instance Administration Tool automatically starts sothat you can migrate your 6.0 directory server instance to 6.1 or create andconfigure a new 6.1 directory server instance. To create a new directory server

instance or migrate a 6.0 directory server instance to 6.1, use the instructions in“Creating a directory server instance” on page 94.

If any errors occur during installation, instance creation, or configuration, see theinformation in the IBM Tivoli Directory Server version 6.1 Problem DeterminationGuide for information about recovering from these errors.

Note: If you upgraded from IBM Directory Server 5.1 to IBM Tivoli DirectoryServer 6.1, the server will take longer than usual to start the very first time.After the server has been started for the first time, it will in a normalamount of time.




After you install using the InstallShield GUI

After you install using the InstallShield GUI, there are directories that you canremove:

v The ismptemp.tds directory is left on the system and can be removed. OnWindows systems, the ismptemp.tds directory is located wherever the TEMPenvironment variable is pointing. On AIX, Linux, Solaris, and HP-UX systems,the ismptemp.tds directory is in the /tmp directory.

If you installed using the -is:tempdir option, the ismptemp.tds dir is at thelocation specified with that option.

v There might also be some ismpxxx directories (where xxx is a number such as001 or 002) in the temporary directory location described in the previous item.You can remove these directories after installation exits.

When TDI is installed, the ISMP installation incorrectly assumes the DeploymentEngine necessary for TDI will be installed into /opt, when it will actually beinstalled into /usr. If /opt is in a different partition than /usr, the space calculationmay not be correct. Be sure that /usr has at least 200M free on AIX and Linux, and300M free on HP and Solaris if TDI is being installed.




which require Java, and you must use the command line to create directoryserver instances and configure the database.

2. You do not need to install security functions if you are not going to use them.You can provide SSL by installing the SSL package on the client, server, or both,as well as installing a Global Security Kit (GSKit), which is included with IBMTivoli Directory Server 6.1. See “Installing GSKit” on page 59 for informationabout installing GSKit.

3. If you are installing IBM Tivoli Directory Server on a node within an RS/6000®

SP™ environment, see “Before installing on a node within an RS/6000 SPenvironment” before beginning installation.

For more detailed information about installation procedures and commands for theAIX operating system, see the AIX Installation Guide provided with the operatingsystem.

Before installing on a node within an RS/6000 SP environment

Attention: Use this section only if you are installing on a node within anRS/6000 SP environment.

If you are installing IBM Tivoli Directory Server on a node within an RS/6000 SPenvironment you must first add the necessary users and groups to the ControlWorkstation (CWS) and propagate them to the nodes using the/var/sysamn/supper update command, as follows:

1. Add the idsldap user and group on the CWS, and add the idsldap and rootusers to the idsldap group. For example:

mkgroup idsldapmkuser idsldapchgrpmem -m + root,idsldap idsldap

2. Update the RS/6000 SP nodes with the new users and groups.

/var/sysamn/supper update

You are now ready to install and configure IBM Tivoli Directory Server on theRS/6000 SP node.

Note: You might want to turn off the timer function on the CWS to each affectedRS/6000 SP node to allow installation, instance creation, and configurationto complete before the CWS updates the timer to the RS/6000 SP node.After installation, instance creation, and configuration are complete andverified, turn the timer function on again.

Packages, filesets, and prerequisites

IBM Tivoli Directory Server is installed in /opt/IBM/ldap/V6.1.

The following information shows the packages you must install for each feature.You can install all the features at the same time, but if you install them separately,you must install them in the order shown.

32-bit client (no SSL)Install (in this order):

1. Package: idsldap.cltbase61

Contains the following filesets:

v idsldap.cltbase61.rte – Base client runtime




v idsldap.cltbase61.adt – Base client SDK

2. Package: idsldap.clt32bit61

Contains fileset idsldap.clt32bit61.rte – 32-bit client (no SSL)

32-bit client (SSL)Install (in this order):







3. Package: idsldap.clt_max_crypto32bit61

Contains fileset idsldap.clt_max_crypto32bit61.rte – 32-bit client (SSL)

64-bit client (no SSL)Install (in this order):







64-bit client (SSL)Install (in this order):




v idsldap.cltbase61.adt – Base client SDK2. Package: idsldap.clt64bit61


3. Package: idsldap.clt_max_crypto64bit61

Contains fileset idsldap.clt_max_crypto64bit61.rte – 64-bit client (SSL)

Java clientInstall the following:

Package: idsldap.cltjava61 Contains fileset idsldap.cltjava61.rte – Java client

Proxy server (64-bit). (This includes the client packages.)Install (in this order):

1. Package: idsldap.cltbase61Contains the following filesets:





3. Package: idsldap.cltjava61

Contains fileset idsldap.cltjava61.rte – Java client

Chapter 7. Installing IBM Tivoli Directory Server using AIX utilities 51



If you are installing a language pack for a language other than English, goto the tdsLangpack subdirectory. (You must install a language pack for thelanguage in which you want server messages displayed. You can installthe language pack before or after you install the server.)

If you are installing from the .tar files:

a. Go to the directory where you untarred the files.

b. If you are installing the client, server, or Web Administration Tool, go tothe tdsV6.1/tds subdirectory.

If you are installing a language pack for a language other than English, goto the tdsV6.1/tdsLangpack subdirectory. (You must install a languagepack for the language in which you want server messages displayed. Youcan install the language pack before or after you install the server.)

3. At the command prompt, type the following:

smit install

and press Enter. The Software Installation and Maintenance window isdisplayed.

4. Click Install and Update Software. The Install and Update Software window

is displayed.5. Click Install and Update from ALL Available Software.

6. Do one of the following:

v If you are installing from the CD, click List next to the INPUTdevice/directory for software field, and select the appropriate CD-ROMdrive or the directory containing the IBM Tivoli Directory Server images.

v If you are installing from the untarred file, type . in the INPUTdevice/directory for software field.

Click OK.

7. Move your cursor to Software to install. Do one of the following:

v Type idsldap to install all the idsldap filesets.

v Click List to list all the filesets on the CD, and then select the filesets thatyou want to install.

If you are installing the product and you select the list option, you see, forexample:

idsldap.clt32bit616.1.0.0 Directory Server - 32 bit Client

idsldap.clt64bit616.1.0.0 Directory Server - 64 bit Client

idsldap.clt_max_crypto32bit616.1.0.0 Directory Server - 32 bit Client (SSL)

idsldap.clt_max_crypto64bit616.1.0.0 Directory Server - 64 bit Client (SSL)

idsldap.cltbase61

6.1.0.0 Directory Server - Base Clientidsldap.cltjava616.1.0.0 Directory Server - Java Client

idsldap.msg61.en_US6.1.0.0 Directory Server - Messages - U.S. English (en)idsldap.srvbase64bit616.1.0.0 Directory Server - Base Server

idsldap.srv64bit616.1.0.0 Directory Server - 64 bit Server

idsldap.srv_max_cryptobase64bit616.1.0.0 Directory Server - Base Server (SSL)

idsldap.srvproxy64bit616.1.0.0 Directory Server - Proxy Server




Removing GSKitTo remove GSKit using SMIT:

1. Invoke SMIT by typing smit at the command line.

2. Select Software Installation and Maintenance on the menu.

3. Select Software Maintenance and Utilities.

4. On the Maintenance window, select Remove Installed Software to open theRemove Software Product window.

5. Enter the name of the software package

6. Set the flag for REMOVE dependent software? to YES to instruct the system toautomatically remove software products and updates that are dependent uponthe product you are removing.

7. Confirm the procedure to complete the removal of the software package.

To remove GSKit using installp, type the following at a command prompt:

installp -u -g -V2 gskta.rteinstallp -u -g -V2 gsksa.rte

wherev -u removes the specified software and any of its installed updates from the

system.

v -g removes or rejects dependents of the specified software.

v -V2 prints an alphabetically ordered list of FAILURES and WARNINGS.




v idsldap-webadmin61-6.1.0-0.i386.rpm – IBM Directory Server - WebAdministration

v idsldap-msg61-en-6.1.0-0.i386.rpm – IBM Directory Server - MessagesU.S. English (en)

v idsldap-ent61-6.1.0-0.i386.rpm - IBM Directory Server Entitlement(supplied only on Passport Advantage®)

zSeries Linux packages:v idsldap-cltbase61-6.1.0-0.s390.rpm – IBM Directory Server - Base Client

v idsldap-clt32bit61-6.1.0-0.s390.rpm – IBM Directory Server - 32 bit Client

Requires idsldap-cltbase61-6.1.0-0.s390.rpm

v idsldap-clt64bit61-6.1.0-0.s390x.rpm – IBM Directory Server - 64 bitClient

Requires idsldap-cltbase61-6.1.0-0.s390.rpm

v idsldap-cltjava61-6.1.0-0.s390.rpm – IBM Directory Server - Java Client

v idsldap-srvbase64bit61-6.1.0-0.s390x.rpm - IBM Directory Server – BaseServer

Requires idsldap-clt64bit61-6.1.0-0.s390x.rpm and its prerequisites

v idsldap-srvproxy64bit61-6.1.0-0.s390x.rpm – IBM Directory Server -Proxy Server

Requires idsldap-srvbase64bit61-6.1.0-0.s390x.rpm and its prerequisites

v idsldap-srv64bit61-6.1.0-0.s390x.rpm – IBM Directory Server - 64 bitServer

Requires idsldap-srvbase64bit61-6.1.0-0.s390x.rpm and its prerequisites

v idsldap-webadmin61-6.1.0-0.s390.rpm – IBM Directory Server - WebAdministration

v idsldap-msg61-en-6.1.0-0.s390.rpm – IBM Directory Server - MessagesU.S. English (en)

v idsldap-ent61-6.1.0-0.s390.rpm - IBM Directory Server Entitlement(supplied only on Passport Advantage)

iSeries and pSeries Linux packages:

v idsldap-cltbase61-6.1.0-0.ppc.rpm – IBM Directory Server - Base Client

v idsldap-clt32bit61-6.1.0-0.ppc.rpm – IBM Directory Server - 32 bit Client

Requires idsldap-cltbase61-6.1.0-0.ppc.rpm

v idsldap-clt64bit61-6.1.0-0.ppc64.rpm – IBM Directory Server - 64 bitClient

Requires idsldap-cltbase61-6.1.0-0.ppc.rpm

v idsldap-cltjava61-6.1.0-0.ppc.rpm – IBM Directory Server - Java Client

v idsldap-srvbase64bit61-6.1.0-0.ppc64.rpm - IBM Directory Server – Base

ServerRequires idsldap-clt64bit61-6.1.0-0.ppc.rpm and its prerequisites

v idsldap-srvproxy64bit61-6.1.0-0.ppc64.rpm – IBM Directory Server -Proxy Server

Requires idsldap-srvbase64bit61-6.1.0-0.ppc64.rpm and its prerequisites

v idsldap-srv64bit61-6.1.0-0.ppc64.rpm – IBM Directory Server - 64 bitServer

Requires idsldap-srvbase64bit61-6.1.0-0.ppc64.rpm and its prerequisites




v idsldap-webadmin61-6.1.0-0.ppc.rpm – IBM Directory Server - WebAdministration

v idsldap-msg61-en-6.1.0-0.ppc.rpm – IBM Directory Server - MessagesU.S. English (en)

v idsldap-ent61-6.1.0-0.ppc.rpm - IBM Directory Server Entitlement(supplied only on Passport Advantage)

AMD64/Opteron/EM64T Linux packages:v idsldap-cltbase61-6.1.0-0.x86_64.rpm – IBM Directory Server - Base Client

v idsldap-clt64bit61-6.1.0-0.x86_64.rpm – IBM Directory Server - 64 bitClient

Requires idsldap-cltbase61-6.1.0-0.x86_64.rpm

v idsldap-cltjava61-6.1.0-0. x86_64.rpm – IBM Directory Server - Java Client

v idsldap-srvbase64bit61-6.1.0-0.x86_64.rpm - IBM Directory Server – BaseServer

Requires idsldap-cltbase61-6.1.0-0.x86_64.rpm and its prerequisites

v idsldap-srvproxy64bit61-6.1.0-0. x86_64.rpm – IBM Directory Server -Proxy Server

Requires idsldap-srvbase64bit61-6.1.0-0.x86_64.rpm and its prerequisites

v idsldap-srv64bit61-6.1.0-0.x86_64.rpm – IBM Directory Server - 64 bitServer

Requires idsldap-srvbase64bit61-6.1.0-0.x86_64.rpm and its prerequisites

v idsldap-webadmin61-6.1.0-0.x86_64.rpm – IBM Directory Server - WebAdministration

v idsldap-msg61-en-6.1.0-0.x86_64.rpm – IBM Directory Server - MessagesU.S. English (en)

v idsldap-ent61-6.1.0-0.x86_64.rpm - IBM Directory Server Entitlement(supplied only on Passport Advantage)

Note: The instructions in this chapter use Linux Intel-based packages. For zSeries,iSeries, or pSeries Linux, substitute the appropriate package names.

Installing featuresTo install the proxy server or the server:

1. Log in as root.

2. Install the 32-bit client by typing the following at a command prompt:

rpm -ihv idsldap-cltbase61-6.1.0-0.i386.rpmrpm -ihv idsldap-clt32bit61-6.1.0-0.i386.rpm

Note: On iSeries and pSeries Linux, zSeries Linux, and AMD64/Opteron/EM64T Linux systems, install the 64-bit client instead of the 32-bit client

because the server is 64-bit. For example:rpm -ihv idsldap-cltbase61-6.1.0-0.ppc.rpmrpm -ihv idsldap-clt64bit61-6.1.0-0.ppc64.rpm

3. Depending on which type of server you want, do one of the following:

v Install the proxy server by typing the following at a command prompt:

rpm -ihv idsldap-cltjava61-6.1.0-0.i386.rpmrpm -ihv idsldap-srvbase32bit61-6.1.0-0.i386.rpmrpm -ihv idsldap-srvproxy32bit61-6.1.0-0.i386.rpmrpm -ihv idsldap-ent61-6.1.0-0.i386.rpm

v Install the full server by typing the following at a command prompt:

Chapter 8. Installing IBM Tivoli Directory Server using Linux utilities 63



rpm -ihv idsldap-cltjava61-6.1.0-0.i386.rpmrpm -ihv idsldap-srvbase32bit61-6.1.0-0.i386.rpmrpm -ihv idsldap-srv32bit61-6.1.0-0.i386.rpm

4. Verify that the packages have been installed correctly by typing the following ata command prompt:

rpm -qa | grep idsldap

If the product has been successfully installed, the following is displayed:v For the proxy server:

idsldap-cltbase61-6.1.0-0idsldap-clt32bit61-6.1.0-0idsldap-cltjava61-6.1.0-0idsldap-srvbase32bit61-6.1.0-0idsldap-srvproxy32bit61-6.1.0-0idsldap-ent61-6.1.0-0

v For the full server:

idsldap-cltbase61-6.1.0-0idsldap-clt32bit61-6.1.0-0idsldap-cltjava61-6.1.0-0idsldap-srvbase32bit61-6.1.0-0

idsldap-srv32bit61-6.1.0-0

Note: The 64-bit client is displayed for iSeries and pSeries Linux, zSeries Linux,and AMD64/Opteron/EM64T Linux systems.

5. Install the English messages:

rpm -ihv idsldap-msg61-en-6.1.0-0.i386.rpm

You can install messages in other languages by using the package names forthose languages. These names are:

v German: idsldap-msg61-de-6.1.0-0.arch.rpm

v Spanish: idsldap-msg61-es-6.1.0-0.arch.rpm

v French: idsldap-msg61-fr-6.1.0-0.arch.rpm

v

Italian: idsldap-msg61-it-6.1.0-0.arch.rpmv Japanese: idsldap-msg61-ja-6.1.0-0.arch.rpm

v Korean: idsldap-msg61-ko-6.1.0-0.arch.rpm

v Brazilian Portuguese: idsldap-msg61-pt_BR-6.1.0-0.arch.rpm

v Simplified Chinese: idsldap-msg61-zh_CN-6.1.0-0.arch.rpm

v Traditional Chinese: idsldap-msg61-zh_TW-6.1.0-0.arch.rpm

where arch is one of the following:

v i386 for xSeries Linux systems

v s390 for zSeries Linux systems

v ppc for iSeries and pSeries Linux systems

v

x86_64 for AMD64/Opteron/EM64T Linux systems6. If you want to include security functions, install GSKit. See “Installing GSKit”

on page 65.

7. If you install a server, you must install IBM Tivoli Directory Integrator if youwant to do any of the following:

v Use the idssupport tool, which gathers information from your system thatyou can supply to IBM Software Support if you encounter problems, or thelog management tool (idslogmgmt).

You can find information about the support tool and the log managementtool in the IBM Tivoli Directory Server version 6.1 Problem Determination Guide.




v To install the full server (with English messages), type:

pkgadd -d idsldap.cltbase61.pkgpkgadd -d idsldap.clt64bit61.pkgpkgadd -d idsldap.cltjava61.pkgpkgadd -d idsldap.srvbase64bit61.pkgpkgadd -d idsldap.srv64bit61.pkgpkgadd -d idsldap.msg61.en.pkgpkgadd -d idsldap.ent61.pkg

Notes:

a. When you install client or server packages, the system might prompt youwith the following query: This package contains scripts which will beexecuted with super-user permission during the process ofinstalling the package. Continue with installation?

Type y to continue. These scripts create the IBM Tivoli Directory Serveruser ID.

b. If you are installing a server package, you might also see the followingprompt: Do you want to install these as setuid and/or setgid files?

Type y to continue. The programs must be able to start daemons, runDB2 commands, and create the IBM Tivoli Directory Server DB2 instance

user ID and group, so they must occasionally run as root.v To install messages in another language, type the following:

pkgadd -d idsldap.msg60.language_ID.pkg

where language_ID is one of the following:

– de for German

– es for Spanish

– fr for French

– it for Italian

– ja for Japanese

– ko for Korean

– pt_BR for Brazilian Portuguese

– zh_CN for simplified Chinese

– zh_TW for traditional Chinese

v To install the Web Administration Tool package, type:

pkgadd -d idsldap.webadmin61.pkg

Notes:

a. If you install the Web Administration Tool, DSML files are also copied toyour computer. See Appendix M, “Installing and configuring DSML,” onpage 185 for information about installing and configuring DSML.

b. If you install the Web Administration Tool, a Web application server such

as Embedded WebSphere Application Server is required to run the tool.See Appendix H, “Installing, configuring, and uninstalling EmbeddedWebSphere Application Server,” on page 171 for information aboutinstalling and configuring a Web application server.

4. If you want to include security functions, install GSKit. See “Installing GSKit”on page 72.

5. If you install a server, you must install IBM Tivoli Directory Integrator if youwant to do any of the following:

Chapter 9. Installing IBM Tivoli Directory Server using Solaris utilities 71



Removing GSKitTo remove GSKit, run the following command at a command prompt:

swremove gsk7bas64

Chapter 10. Installing IBM Tivoli Directory Server using HP-UX utilities 79



Chapter 11. Installing and uninstalling silently on Windowssystems

This chapter provides instructions for installing and uninstalling IBM TivoliDirectory Server 6.1 and the language packs on a Windows computer using silentinstallation, and for installing and uninstalling GSKit from the command line onWindows.

To silently install and uninstall on AIX, Linux, Solaris, and HP-UX systems, use theoperating system utilities for those operating systems.

Silent installation

You can use silent installation to install IBM Tivoli Directory Server or thelanguage packs with no user input required.

The following options and conditions apply to silent installation:v You do not need to install all features. You can choose to install:

– The client only

– The Java client

– The Web Administration tool only

– The proxy server (includes the client and the Java client)

– The full server (includes the client and the Java client)

v You can also use IBM Tivoli Directory Server silent installation to install DB2,GSKit, IBM Tivoli Directory Integrator, or Embedded WebSphere ApplicationServer.

v If you install DB2, a Windows system user ID is created for the DB2 system ID.

By default, this user ID is db2admin and the password is db2admin. If you wantto use a different user ID or password, or both, find the db2.rsp file in thetds\installer\neededfiles subdirectory of the first CD or the subdirectory whereyou uncompressed the .zip files. Change db2admin in the file to the user ID orpassword (or both) that you want to use.

Notes:

1. This user ID must not be the user ID that will be used as the owner of thedirectory server instance.

2. If you are not using an existing user ID, DB2 creates the user ID specifiedwith the password specified. This is the preferred method.

3. If you are creating a new user ID and your system has ″Password must meet

complexity requirements″

enabled, be sure that the password you supplymeets the complexity requirements. If it does not, installation will fail. Seethe Windows documentation for information about complexity requirements.

4. If you are using an existing Windows user ID, it must be a member of theAdministrators group. In this case, be sure that the password you specify iscorrect. Otherwise, DB2 does not install correctly.

v You must have at least 255 MB of free space in the directory specified by theTEMP environment variable or the directory you want to use as a temporarydirectory.




v If you are installing the proxy server or the full server, the Administrators groupprovided with the Windows operating system must exist.

v The installation must be run by a user ID with Administrator privileges.

v If the client is already installed, you can add the proxy server or full server in alater installation.

v If a server is selected for installation in the options file, the client and the Java

client will automatically be installed if they are not there, regardless of whetherthey were selected for installation in the options file.

v The Web Administration Tool can be installed whether or not a server or theclient is installed.

v The installation location cannot be the same as the path where another versionof the client is installed.

v The server and the client from IBM Tivoli Directory Server 6.1 can coexist withthe following clients and servers:

– A client from any of the following:



- IBM Tivoli Directory Server 5.2- IBM Tivoli Directory Server 6.0


If any of these are installed, you can leave them installed.

Before you begin silent installation, be sure that the options file for the server,client, or language packs is updated with the correct information about the featuresyou want to install and the installation path. To edit an options file, copy the filefrom the optionsFile directory to a writable location. The files are:

v Server options file: InstallServer.txt

v Client only options file: InstallClient.txt. (This file is provided in the client-only

package.)v Language pack options file: InstallLP.txt

For information about changing the installation options files, see “Options files forsilent installation of servers and language packs” on page 86.

Installing the server or client silentlyTo begin installing the IBM Tivoli Directory Server 6.1 using silent installation:


a. If you are installing DB2, Embedded WebSphere Application Server, or IBMTivoli Directory Integrator, copy the files from the appropriate subdirectoryto the hard disk and set the appropriate system environment variables to

point to the path where you copied the files, as shown in the followingtable:

Table 3. Files and system environment variables for corequisite products

Product Files to copy to hard diskSystem environmentvariable

DB2 db2 directory (from CD 2) DB2Files

Embedded WebSphereApplication Server

appsrv directory (from CD3)

APPSRVFiles

IBM Tivoli Directory Integrator tdi directory (from CD 3) TDIFiles




b. Insert CD 1 in your CD-ROM drive.

c. Go to the drive for your CD-ROM.

d. At a command prompt, type the following:

cd \tds

If you are installing from downloaded .zip files:

a. Go to the directory where you unzipped the downloaded .zip files.

b. At a command prompt, type the following:

cd tdsV6.1\tds

2. Type the following command:

install_tdsSilent.bat -is:silent -options full_path\optionsFiles\InstallServer.txt

where full_path is the full path to the optionsFiles directory.

(If you want to install only the client from the client-only package, substituteInstallClient.txt for InstallServer.txt.)

Notes:

a. If you want to specify a temporary directory other than the one specified bythe TEMP environment variable, use the -is:tempdir option, as follows:

install_tdsSilent.bat -is:silent -options optionsFiles\InstallServer.txt-is:tempdir temp_directory

where temp_directory is the directory you want to use for temporary space.Be sure that you have at least 255 MB of free space in this directory.

b. If you want to specify an additional log file, use the -log option, as follows:

install_tdsSilent.bat -is:silent -options full_path\optionsFiles\InstallServer.txt-log !c:\mydirectory\ldapinst.log @ALL

where full_path is the full path to the optionsFiles directory.

c:\mydirectory\ldapinst.log can be changed to point to where you want toplace the log file. The log file will still be created in the target installation

directory. The default location is C:\Program Files\IBM\LDAP\V6.1\var\ldapinst.log.

c. You must use install_tdsSilent.bat because only install_tdsSilent.bat returns areturn code.

3. IBM Tivoli Directory Server is installed with no further input.

If the installation exits for any reason, you can find information about the exit by viewing the return code or checking the installpath\var\ldapinst.log file.(installpath is the path where you installed IBM Tivoli Directory Server.)

Check the return code by checking the value of %ERRORLEVEL% from a .batfile. A return code of 0 indicates that the installation was successful. A non-zeroreturn code indicates that the installation failed. See “Checking the return code”on page 85 for a list of return codes.

Installation is complete when control returns to the command line or to theinvoking program.

If installation is unsuccessful, check to be sure that your options file settingsand command-line parameters are valid.

4. After installation, restart the system. If you are also installing other products,you can restart at an appropriate time. If the server was installed, you must dothe following before the server is usable:

a. Create a directory server instance using the idsicrt command. See “Creatingan instance with the command line” on page 106.

Chapter 11. Installing and uninstalling silently on Windows systems 83



b. Set the administrator DN and password using the idsdnpw command. See“Managing the primary administrator DN with the command line” on page113.

c. If the directory server instance is a full server, configure the database usingthe idscfgdb command line utility to configure silently. See “Configuringthe database with the command line” on page 116.

Installing language packs silentlyTo begin installing IBM Tivoli Directory Server 6.1 language packs using silentinstallation:



b. Go to the drive for your CD-ROM.

c. At a command prompt, type the following:

cd tdsLangpack

If you are installing from downloaded .zip files:

a. Go to the directory where you unzipped the downloaded .zip files.

b. At a command prompt, type the following:cd tdsV6.1\tdsLangpack

2. At a command prompt, type the following:

v For Intel 32-bit Windows systems:

idslp_setup_win32Silent.exe -is:silent-options full_path_to_options_file\InstallLP.txt

v For AMD/EM64T Windows systems:

idslp_setup_win64Silent.exe -is:silent-options full_path_to_options_file\InstallLP.txt

where full_path_to_options_file is the full path to the InstallLP.txt file you areusing. The InstallLP.txt file is in the tdsLangpack\optionsFiles subdirectory of the CD or the unzipped .zip file, but if you moved it, you must specify thecurrent location of the file.

Note: If you want to specify an additional log file, type the following:

v For Intel 32-bit Windows systems:

idslp_setup_win32Silent.exe -is:silent-options d:\tdsLangpack\optionsFiles\InstallLP.txt-log !c:\mydirectory\ldaplp_inst.log @ALL

v For AMD/EM64T Windows systems:

idslp_setup_win64Silent.exe -is:silent-options d:\tdsLangpack\optionsFiles\InstallLP.txt-log !c:\mydirectory\ldaplp_inst.log @ALL

c:\mydirectory\ldaplp_inst.log can be changed to point to where you wantto place the log file. The log file will still be created in the targetinstallation directory.

The default location is for the log is install_dir\var\ldaplp_inst.log. (If you installed in the default location, the log is C:\Program Files\IBM\LDAP\V6.1\var\ldaplp_inst.log.)




Verifying the silent installationTo verify that the silent installation was successful, you can check the return code,log file, and the Windows registry.

Common reasons for the silent installation failing are:

v A previous or current version of IBM Tivoli Directory Server is already installed.

Only the following are allowed:– A client from any of the following:






v The prerequisites are not present. The server requires a valid version of DB2.

v There is not enough disk space to install.

v The options file is incorrect. Be very careful when editing the options file. Therecannot be blank lines or control characters in the file. If the installation exitswith no log file, this is usually because the options file is invalid (with blanklines, for example), or because the path to the options file was specifiedincorrectly.

Checking the return codeThe %ERRORLEVEL% variable contains the return code. The following returncodes can be received:

v 2002 Java exception (A possible cause is that you are attempting to install to alocation where another version is installed. If you receive this return code,entries might have been created for IBM Tivoli Directory Server 6.1 in theregistry. Check the registry and, if there are any such entries, remove them

before you try to install again.)

v 3001 Prerequisites missingv 3002 Java exception

v 3003 No feature selected for silent install

v 3004 Attemping to install when version prior to 4.1 present

v 3009 Cannot install a feature. (A condition was detected that prevented afeature from being installed. A common cause is that the server or WebAdministration Tool from a previous release is installed. If the server or WebAdministration Tool from a previous release is installed, the only feature thatcan be installed is the client.)

Other return codes might be returned from the InstallShield program.

Checking the log fileTo verify that silent installation was successful using the log file:

1. Check the log file to see if it exists in the target directory. If the log is not there,the installation failed, and you can refer to the log file that was specified on thesilent installation command with the -log option to see why the installationfailed.

2. Check the log file for the string Exiting LdapExit.

Chapter 11. Installing and uninstalling silently on Windows systems 85



## The following 4 lines MUST be present-silent-G createDirectoryResponse="yes"-G replaceExistingResponse="yesToAll"-G removeModifiedResponse="yesToAll"## Select the features to be uninstalled. If a feature was never installed

# then its line must be commented out.# The "activeForUninstall" property specifies whether you want a feature# to be uninstalled.# The "activeForUninstall" property for a feature defaults to true if the# feature is currently# installed; it must be set to false if you want to leave it installed.# The default action, if no features are specified, is to uninstall all# features that are currently installed.# We are also providing support for Corequisite products such as DB2# uninstallation with V6.1-P ClientFeature.activeForUninstall=true-P JavaClientFeature.activeForUninstall=true-P BaseServerFeature.activeForUninstall=true-P ProxyServerFeature.activeForUninstall=true-P ServerFeature.activeForUninstall=true-P WebadminFeature.activeForUninstall=true-P DB2Feature.activeForUninstall=true-P GSKITFeature.activeForUninstall=true-P AppSrvFeature.activeForUninstall=true-P TDIFeature.activeForUninstall=false# This must be last line. Be sure no blank lines or carriage controls follow!

You can edit the features lines to disable a feature from being uninstalled. Forexample, to indicate that you do not want to uninstall the IBM Tivoli DirectoryServer Web Administration Tool, change

-P WebadminFeature.activeForUninstall=true

to

-P WebadminFeature.activeForUninstall=false

Language packs options fileThe following text is in the language packs uninstallation options file,UnInstallLP.txt, provided with IBM Tivoli Directory Server:

# Select the features to be uninstalled. If a feature was never installed the# Sample of a response file for the Language pack Uninstall# (Lines beginning with # are comments)# Be sure there are no blank lines in this file!## The following 4 lines MUST be present-silent-G createDirectoryResponse="yes"-G replaceExistingResponse="yesToAll"

-G removeModifiedResponse="yesToAll"#### The "activeForUninstall" property specifies whether you want a feature to be# uninstalled.# Unless otherwise specified, the "activeForUninstall" property for all installed# features by default is set to true;# a property value must be set to false if you want to leave its feature installed.# The default action, if no property values are specified, is to uninstall all# features that are currently installed.# The following list of features should only include languages installed on# your system.




a. Type a name for the user in the User Name field. This name becomes the directory server instance name.

The name of the new directory server instance must be unique;if there is already a directory server instance on the computerwith the same name, you will receive an error message. SeeAppendix D, “Setting up users and groups: directory serverinstance owner, database instance owner, and database owner,”on page 161 for detailed information about requirements for theuser ID.

b. Type the password for the user in the Password field.

c. If you are on an AIX, Linux, Solaris, or HP-UX system:

1) Type the home directory for the user in the Home directoryfield. You can click Browse to locate the home directory.

2) Type the name of the user’s primary group in the Primarygroup field.

d. Click Create to create the user.

Install locationType the location where the directory server instance files will bestored. Be sure that you have at least 30 MB of free disk space in thislocation.

On Windows systems, this location is a drive, such as C:. Thedirectory instance files will be stored on the drive you specify in the\idsslapd-instance_name directory. (instance_name is the name of thedirectory server instance.)

On AIX, Linux, Solaris, and HP-UX systems, the default location forthe instance files is in the directory instance owner’s home directory,

but you can specify a different path. Click Browse if you want toselect a location.

Encryption seed string

Type a string of characters that will be used as an encryption seed.

The encryption seed must contain only printable ISO-8859-1 ASCIIcharacters with values in the range of 33 to 126, and must be aminimum of 12 and a maximum of 1016 characters in length. Forinformation about what characters can be used, see Appendix K,“ASCII characters from 33 to 126,” on page 181.

This encryption seed is used to generate a set of Advanced EncryptionStandard (AES) secret key values. These values are stored in thedirectory server instance’s directory key stash file and used to encryptand decrypt directory stored password and secretkey attributes.

Record the encryption seed in a secure location; you might need it if

you export data to an LDIF file (the idsdb2ldif command) orregenerate the key stash file (the idsgendirksf command.)

Confirm encryption seedType the encryption seed string again for confirmation.

Use encryption salt valueSelect this check box if you want to provide an encryption salt value.

v If you are migrating and you want the directory server instance to be cryptographically synchronized with the same directory server

Chapter 12. Creating and administering instances 97



Create a universal database if you plan to store data in multiplelanguages in the directory. A universal database is also most efficient

because less data translation is needed. If you want to use languagetags, the database must be a UTF-8 database. For more informationabout UTF-8, see Appendix O, “UTF-8 support,” on page 189.

c. Click Next.

14. In the Verify settings window, information is displayed about the options youspecified. To return to an earlier window and change information, click Back.To begin creating the directory server instance, click Finish.

15. The Results window is displayed, and messages are displayed while theinstance is being created. A completion message is displayed when instancecreation is complete. Click OK to remove the message.

16. Click Close to close the window and return to the main window of theInstance Administration Tool.

17. If you have finished using the Instance Administration Tool, click Close to exitthe tool.

Note: After you set the administrator DN and password and, for a full server,

configure the database, see Chapter 14, “After you install and configure,” onpage 137 for information about:

v Starting the server

v Starting the Embedded WebSphere Application Server service if you haveinstalled and configured the Web Administration Tool.

You can find information about using the Web Administration Tool in theIBM Tivoli Directory Server Version 6.1 Administration Guide.

Migrating an instanceYou can migrate a directory server instance from a previous version of IBM TivoliDirectory Server to a 6.1 directory server instance.

If you are migrating from a version that is before 6.0, you must have already backed up the configuration and schema files. See “Before you upgrade” on page11.

v To migrate a 6.0 directory server instance:

1. If the Instance Administration Tool is not started, start it. See “Starting theInstance Administration Tool” on page 93 for instructions.

2. Select the 6.0 directory server instance you want to migrate in the list, andclick Migrate.

3. In the Migrate directory server instance window, click Migrate.

Messages are displayed while the directory server instance is being migrated.A completion message is displayed when migration is complete. Click OK toremove the message.

Click Close to close the window and return to the main window of theInstance Administration Tool.

If you have finished using the Instance Administration Tool, click Close toexit the tool.

v To migrate a directory server instance from a version before 6.0:


2. Click Create.




instance must already have at least one replication context, replicationgroup, and replication subentry defined. If a replica is being configured,the source directory server instance must already have the initialreplication topology defined, including an agreement to at least one otherserver. If a peer is being configured, the source server must be defined asa master for one or more of the subentries in the replicationconfiguration.

For more information about replication, see the IBM Tivoli Directory Server Administration Guide.

c. In the User name field, specify the system user ID that will own the newdirectory server instance. This will also be the name of the directory serverinstance, the DB2 administrator ID, the database instance name, and thedatabase name. The user ID must exist on the system and must not be thename of any other directory server instance on the computer. The namecannot be longer than 8 characters. See Appendix D, “Setting up users andgroups: directory server instance owner, database instance owner, anddatabase owner,” on page 161 for detailed information about the user ID.

d. In the Password field, specify the system password for the user ID.

e. In the Install location field, specify the location where the directory serverinstance files will be stored. This will also be the location of the database.Be sure that you have at least 30 MB of free disk space in this location.

On Windows systems, this location is a drive, such as C:. The directoryinstance files will be stored on the drive you specify in the\idsslapd-instance_name directory. (instance_name is the name of thedirectory server instance.)

On AIX, Linux, Solaris, and HP-UX systems, the default location for theinstance files is in the directory instance owner’s home directory, but youcan specify a different path. Click Browse if you want to select a location.

Click Next.

5. In the Instance setup - step 2 window, complete the following fields and then

click Next.Administrator DN

Type the administrator DN for the new directory server instance.

PasswordType the administrator DN password for the new directory serverinstance.

Confirm passwordType the administrator DN password again for confirmation.

Copy data from source instance to new instanceIf you want to copy the data from the database of the source directoryserver instance during the copy directory server instance operation,

select this check box and then type the path where the backup imagesare stored in the Path for backup images field. (You can use theBrowse button to help you locate the path.) This check box is selected

by default and cannot be cleared if you are creating a replica or peerserver.

If you want to copy the data while creating the new directory serverinstance, the following requirements must be met:

v The source directory server instance must be configured to allow foronline backups.




Changing the TCP/IP settings for an instance

You can use either the Instance Administration Tool or the command line tochange the TCP/IP settings for an existing directory server instance.

Changing the TCP/IP settings with the Instance Administration

Tool To change the TCP/IP settings for an existing directory server instance:


2. On the IBM Tivoli Directory Server Instance Administration Tool window, selectthe directory server instance you want to change, and then click Edit TCP/IPsettings.

3. On the first Edit TCP/IP settings window that is displayed, do one of thefollowing:

v If you want the directory server instance to listen on all IP addresses, selectthe Listen on all configured IP addresses check box.

v If you want the directory server instance to listen on a particular set of IPaddresses that are configured on the computer, clear the Listen on allconfigured IP addresses check box. Then select the IP address or addressesin the list that you want the directory server instance to listen on. (To selectmultiple addresses, press Shift or Ctrl and click the IP addresses you want.)

Click Next.

4. On the second Edit TCP/IP settings window that is displayed, complete thefollowing fields:

Server port numberType the number of the port you want the server to use as its contactport. The number must be between 1 and 65535.

Server secure port numberType the number of the port you want the server to use as its secureport. The number must be between 1 and 65535.

Admin daemon port numberType the number of the port you want the administration daemon touse as its port. The number must be between 1 and 65535.

Admin daemon secure port numberType the number of the port you want the administration daemon touse as its secure port. The number must be between 1 and 65535.

Notes:

a. The port numbers you specify must not cause conflicts with ports beingused by any other directory server instance that is bound to a particularhostname or IP address.

b. ON AIX, Linux, Solaris, and HP-UX systems, port numbers below 1000 can be used only by root.

Click Finish.

5. A Results window is displayed. A completion message is displayed wheninstance creation is complete. Click OK to remove the message.

6. Click Close to close the window and return to the main window of theInstance Administration Tool.




Changing the TCP/IP settings with the command lineYou can use the idssethost command to set the IP addresses a directory serverinstance will bind to. For example:

To update the IP addresses of the directory server instance myinst to bind only to1.3.45.668, run the following command:

idssethost -I myinst –i 1.3.45.668

To update the IP addresses of the directory server instance myinst to bind to allavailable IP addresses, use the following command:

idssethost -I myinst –i all

You can use the idssetport command to set the ports a directory server instancewill use. For example, to update the port of the directory server instance myinst to555, use the following command:

idssetport -I myinst –p 555

See the IBM Tivoli Directory Server Version 6.1 Command Reference for moreinformation about the idssethost and idssetport commands.

Viewing information about an instance

You can use the Instance Administration Tool or the command line to viewinformation about a directory server instance.

Viewing information about an instance using the InstanceAdministration Tool

To use the Instance Administration Tool to view information about an existingdirectory server instance:

1. If the Instance Administration Tool is not started, start it. See “Starting the

Instance Administration Tool” on page 93 for instructions.2. On the IBM Tivoli Directory Server Instance Administration Tool window, select

the directory server instance for which you want to see information, and thenclick View.

The View instance details window is displayed.

3. Click OK when you have finished viewing the information.

Viewing information about an instance using the commandline

You can use the idsilist command to list the directory server instances on thecomputer.

For example, to get a list of directory server instances residing on the computer,use the following command:

idsilist

To obtain detailed information about the instances, issue the same command withthe -a or -r option. The -a option provides formatted information about all thedirectory server instances on the computer, and the -r option provides the sameinformation in a raw format.




See the IBM Tivoli Directory Server Version 6.1 Command Reference for informationabout the idsilist command.

Deleting a directory server instance

You can use the Instance Administration Tool or the command line to delete adirectory server instance.

Deleting an instance using the Instance Administration ToolTo use the Instance Administration Tool to delete a directory server instance:


2. On the IBM Tivoli Directory Server Instance Administration Tool window, selectthe directory server instance you want to delete, and then click Delete.

The Delete directory server instance window is displayed.

3. In the Options box, click one of the following options:

v Click Delete directory server instance only if you want to remove thedirectory server instance but leave the database instance intact.

v Click Delete directory server instance and destroy associated databaseinstance if you want to remove the database instance as well as removingthe directory server instance.

4. Click Delete.

5. Messages are displayed in the window as the directory server instance isremoved. A completion message is displayed when instance removal iscomplete. Click OK to remove the message.

6. When removal is complete, click Close to close the window and return to themain window of the Instance Administration Tool.

Deleting an instance using the command line

You can use the idsidrop command to delete a directory server instance.

For example, to remove a directory server instance and retain the associateddatabase instance, run the following command:

idsidrop -I <instancename>

To remove a directory server instance and destroy the associated database instance,run the following command:

idsidrop -I <instancename> -r

To unconfigure the associated database instance without removing a directoryserver instance, run the following command:

idsidrop -I <instancename> -R

See the IBM Tivoli Directory Server Version 6.1 Command Reference for informationabout the idsidrop command.




Chapter 13. Configuration

If you did not use the Instance Administration Tool to set the administrator DNand password or configure the database for the directory server instance, you can

use either the Configuration Tool (idsxcfg) or command-line utilities for thesetasks. You must set the administrator DN and password and, for a full server,configure the database before you can use the directory instance. Also, if you wantto change the administrator DN or password after you have set it for the first time,you must use either the Configuration Tool or the command line.

Note: After you configure, see Chapter 14, “After you install and configure,” onpage 137 for information about:

v Starting the server

v Starting the Embedded WebSphere Application Server service if you wantto use the Web Administration Tool

You can find more information in the IBM Tivoli Directory Server Version 6.1 Administration Guide.

You can use the Configuration Tool for the following tasks:

v Managing the primary administrator DN and password.

v Configuring and unconfiguring the database

v Enabling and disabling the change log

v Adding and removing suffixes

v Adding and removing schema files

v Importing and exporting LDIF data

v Backing up, restoring, and optimizing the database

v

Configuring Active Directory synchronizationv Tuning the performance of the directory server instance

Starting and using the IBM Tivoli Directory Server Configuration Tool

(idsxcfg)

To start and use the Configuration Tool:

1. On AIX, Linux, Solaris, or HP-UX systems, log in as root, as the directoryserver instance owner, or with a user ID that is in the primary group of thedirectory server instance owner. On Windows systems, log on as any user inthe default Administrators group.

2. Go to the sbin subdirectory of the directory where IBM Tivoli Directory Server

6.1 is installed. This directory is:

v On Windows systems, by default:

C:\Program Files\IBM\LDAP\V6.1\sbin

v On AIX, Solaris, and HP-UX systems: /opt/IBM/ldap/V6.1/sbin

v On Linux systems: /opt/ibm/ldap/V6.1/sbin

3. Type idsxcfg at a command prompt.

If you have more than one directory server instance on the computer, you musttype idsxcfg -I instancename where instancename is the name of the directoryserver instance you want to configure.




If the password is not specified, you are prompted for the password. The passwordis not displayed on the command line when you type it.

Note: If the administration password policy has been enabled, the administrator’spassword must conform to the administration password policyrequirements. See the IBM Tivoli Directory Server Version 6.1 AdministrationGuide for information about the password policy.

See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailedinformation about the idsdnpw command.

Managing the primary administrator password for a directory server

instance

You can use either the Configuration Tool or the command line to set or changethe primary administrator password.

Managing the primary administrator password with theConfiguration Tool

To set or change the primary administrator password with the Configuration Tool:1. Stop the server if it is running.

2. In the IBM Tivoli Directory Server Configuration Tool window, click Manageadministrator password in the task list on the left.

3. In the Manage administrator password window on the right, type a passwordin the Administrator password field. Passwords are case-sensitive. Double bytecharacter set (DBCS) characters in the password are not supported.

Record the password in a secure place for future reference.

Note: If the administration password policy has been enabled, the primaryadministrator’s password must conform to the administration passwordpolicy requirements. See the IBM Tivoli Directory Server Administration

Guide for information about the password policy.4. Retype the password in the Confirm password field.

5. Click OK.

6. A completion message is displayed. Click OK.

Managing the primary administrator password with thecommand line

You can use the idsdnpw command to change the primary administrator passwordfor a directory server instance. The command can be run only when the directoryserver instance is not running.

For example:

To change the primary administrator password to newsecret on a computer withonly one directory server instance, issue the command:

idsdnpw –p newsecret

You are prompted to continue or exit.

Note: If the administration password policy has been enabled, the primaryadministrator’s password must conform to the administration password




b. Click the type of database you want to create. You can create a UCSTransformation Format (UTF-8) database, in which LDAP clients can storeUTF-8 character data, or a local code page database, which is a database inthe local code page.

Create a universal database if you plan to store data in multiple languagesin the directory. A universal database is also most efficient because less datatranslation is needed. If you want to use language tags, the database must

be a UTF-8 database. For more information about UTF-8, see Appendix O,“UTF-8 support,” on page 189.

c. Click Finish.

5. Messages are displayed while the database is being configured. Click Closewhen database configuration is complete.

Configuring the database with the command lineYou can use the idscfgdb command to configure a database for a directory serverinstance.

This command cannot be used for a proxy server instance.

The idsicrt command must have already run successfully to create the databaseinstance. In addition, the database instance owner must be set up correctly.Otherwise, the command fails.

The directory server instance owner specifies a database administrator user ID, adatabase administrator password, the location to store the database, and the nameof the database. The database administrator ID specified must already exist on thesystem. See Appendix D, “Setting up users and groups: directory server instanceowner, database instance owner, and database owner,” on page 161 for informationabout requirements for this ID.

By using the -w option, you can reset the password for the database administrator

and the change log database owner in the configuration file for the directory serverinstance.

After successfully creating the database, the command adds information about thedatabase to the ibmslapd.conf file of the directory server instance. The databaseand local loopback settings are created, if they do not exist. You can specifywhether to create the database as a local codepage database or as a UTF-8database, which is the default.

Attention:

1. Before configuring the database, be sure that the environment variableDB2COMM is not set.

2. The server must be stopped before you configure the database.

For example:

To configure a database called ldapdb for directory server instance ldapdb in thelocation /home/ldapdb with a DB2 database administrator ID of ldapdb whosepassword is secret, issue the command:

idscfgdb -I ldapdb –a ldapdb –w secret –t ldapdb –l /home/ldapdb

If the password is not specified, you are prompted for the password. The passwordis not displayed on the command line when you type it.




See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailedinformation about the idscfgdb command.

Changing the password for the database owner

If you change the system password for the database owner after the database isconfigured for a directory server instance, the password is not automatically

changed in the configuration file for the directory server instance. When thepassword for the database owner in the configuration file does not match thesystem password for the database owner user ID, the directory server instancestarts only in configuration mode until you update the password in theconfiguration file.

Changing the password for the database owner with theConfiguration Tool

To change the password for the database owner in the configuration file for thedirectory server instance:

1. In the Configuration Tool, click Configure database in the task list on the left.

2. Type the database owner’s new password in the Password field. Passwords arecase sensitive.

3. Click Next.

4. Click Finish.

5. Messages are displayed while the password is being changed. Click Closewhen processing is complete.

Note: If the change log is enabled, this procedure also updates the password forthe change log database owner in the configuration file.

Changing the password for the database owner with thecommand line

When the password for the database owner is changed on the system, the directoryserver must be notified to update its configuration file. This update can be done inone of two ways:

v Using the idscfgdb command when the server is stopped

v Using the idsldapmodify command

You can use the idscfgdb command to change the password for the databaseowner in the configuration file for the directory server instance if the directoryserver is stopped.

For example, to change the password to newpasswrd on a system with only onedirectory server instance, use the following command:

idscfgdb -w newpasswrd

You are prompted to either continue or exit.

You can use the idsldapmodify command to change the password while thedirectory server instance is running. The idsldapmodify command must be used

by the primary directory server administrator or by a directory administrator withdirdata authority. Use the idsldapmodify command with an LDIF file that has thefollowing contents:

Chapter 13. Configuration 117



dn: cn=Directory, cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configurationchangetpye: modifyreplace: ibm-slapdDbUserPWibm-slapdDbUserPW: newPassword

See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailedinformation about the idscfgdb and idsldapmodify commands.

Unconfiguring the database for a directory server instance

When you unconfigure the database, the Configuration Tool removes the databaseinformation for the directory server instance from the configuration file. Based onyour selections, it might also delete the database (and all data in it).

Note: This option is not available if you are configuring a proxy server or if youhave not installed the full server on the computer.

You can use either the Configuration Tool or the command line to unconfigure thedatabase.

Unconfiguring the database with the Configuration ToolTo unconfigure the database using the Configuration Tool:

1. In the Configuration Tool, click Unconfigure database in the task list on theleft.

2. In the Unconfigure database window, click one of the following:

Unconfigure onlyDoes not destroy any existing LDAP DB2 data. However, theconfiguration information for the database will be removed from theconfiguration file for the directory server instance, and the databasewill be inaccessible to the directory server instance.

Unconfigure and destroy database

Removes the existing database and its contents, and removes theconfiguration information for the database from the configuration filefor the directory server instance.

3. Click Unconfigure.

4. In response to the confirmation message that is displayed, click Yes.

Unconfiguring the database with the command lineYou can use the idsucfgdb command to unconfigure a database for a directoryserver instance.

By default, the command only unconfigures the database from the ibmslapd.conf file and does not delete the database. However, you can use the specify that you

want to delete the database during the unconfiguration process. You are promptedto confirm that you want to continue with the actions you requested.


For example:

To unconfigure the database for directory server instance myinstance and notprompt before unconfiguring, issue the command:

idsucfgdb -n -I myinstance




required. The change log information is added to the directory server instance’sibmslapd.conf file. A change log requires the following:

v A database instance with the same name as the directory server instance mustalready exist.

v A database for the directory server instance must already be configured.

v For AIX, Linux, Solaris, and HP-UX platforms, the local loopback service must

be registered in the /etc/services file.Otherwise, the command fails.


You can optionally specify the maximum number of entries to keep in the changelog and the maximum age to which each entry in the change log is kept until it isautomatically destroyed. If you do not specify any options, the entries in thechange log never expire and the size of the change log is a maximum of 1,000,000entries.

For example:

To configure a change log for directory server instance ldapdb with no age limit orsize limit, issue the command:

idscfgchglg -I ldapdb –m 0

To configure a default change log for directory server instance ldapdb with a sizelimit of 1,000,000 and an entry age of 25 hours, issue the command:

idscfgchglg -I ldapdb –y 1 –h 1

Note: After the change log is configured, the -y, -h, and -m options can be used toupdate the maximum age and maximum size of the entries in the changelog.

See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailedinformation about the idscfgchglg command.

Disabling the change logYou can use either the Configuration Tool or the command line to unconfigure thechange log. When you unconfigure the change log, the change log database is alsodeleted.

Disabling the change log with the Configuration ToolTo use the Configuration Tool to disable the change log:

1. In the Configuration Tool, click Manage changelog in the task list on the left.

2. In the Configure/unconfigure changelog window, clear the Disable change logdatabase check box.

3. Click Update.

4. In response to the confirmation message, click Yes.

5. Messages are displayed while the change log is being disabled. Click Closewhen the task is complete.

Disabling the change log with the command lineYou can use the idsucfgchglg command to unconfigure a change log for adirectory server instance. A change log must be currently configured in theibmslapd.conf file for the directory server instance. No parameters are needed to




Removing a suffix with the command lineYou can use the idsucfgsuf command to remove a suffix from a directory serverinstance’s ibmslapd.conf file. This command fails if the directory server instance isa proxy server or if the suffix does not exist in the configuration file.

For example:

To remove the suffix o=sample from the ibmslapd.conf file on a computer with asingle directory server instance, run the following command:

idsucfgsuf -s o=sample

To remove the suffix o=sample from the ibmslapd.conf file of directory serverinstance myinstance on a computer with multiple directory server instances, issuethe command:

idsucfgsuf -I myinstance -s o=sample

Note: These system defined suffixes cannot be removed:

v cn=localhost

v cn=configuration

v cn=ibmpolicies

See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailedinformation about the idsucfgsuf command.

Managing schema files

You can use the Configuration Tool or the command line for the following schemafile tasks:

v Adding a schema file to the list of schema files that will be loaded at startup

v Removing a schema file from the list of schema files that will be loaded atstartup

v Changing the type of validation checking that is done for schema files

Note: The server must be stopped before you add or remove schema files.

Adding a schema fileYou can use either the Configuration Tool or the command line to add a schemafile to the list of schema files that will be loaded at startup. The schema file mustexist on the computer.

Adding a schema file with the Configuration ToolTo use the Configuration Tool to add a schema file to the list of schema files thatwill be loaded at startup:

1. In the Configuration Tool, click Manage schema files in the task list on the left.

2. In the Manage schema files window, type the path and file name of the schemafile you want to load at startup. (Alternatively, click Browse to search for thefile.)

3. Click Add.

Note: When you click Add, the schema file is added to the list in the Currentschema files box; however, the schema file is not actually added untilyou click OK.




4. When you have added all the schema files you want, click OK.

Adding a schema file with the command lineYou can use the idscfgsch command to add a schema file to the list of schema filesthat will be loaded at startup. The schema file must exist on the computer. Thedirectory server instance owner must specify the schema file to add to thedirectory server instance’s ibmslapd.conf file. For example, to configure the schema

file /home/mydir/myschema.oc in the directory server instance’s ibmslapd.conf file, run the following command:

idscfgsch –s /home/mydir/myschema.oc

See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailedinformation about the idscfgsch command.

Removing a schema fileYou can use either the Configuration Tool or the command line to remove aschema file from the list of schema files that will be loaded at startup.

Removing a schema file with the Configuration Tool

To use the Configuration Tool to remove a schema file from the list of schema filesthat will be loaded at startup:

1. In the Configuration Tool, click Manage schema files in the task list on the left.

2. In the Manage schema files window, click the schema file you want to removein the Current schema files box.

3. Click Remove.

Notes:

a. The following schema files cannot be removed:

v V3.system.at

v V3.system.oc

v V3.config.at

v V3.config.oc

v V3.ibm.at

v V3.ibm.oc

v V3.user.at

v V3.user.oc

v V3.ldapsyntaxes

v V3.matchingrules

v V3.modifiedschema

b. When you click Remove, the schema file is removed from the list in theCurrent schema files box; however, the schema file is not actually removed

until you click OK.4. In response to the confirmation message, click Yes.

5. When you have selected all the schema files you want to remove, click OK toprocess the files.

Removing a schema file with the command lineYou can use the idsucfgsch command to unconfigure a schema file for a directoryserver instance. The schema file must be currently configured in the directoryserver instance’s ibmslapd.conf file. The directory server instance owner mustspecify the schema file to remove from the directory server instance’sibmslapd.conf file.




This option is not available if you are configuring a proxy server or if you havenot installed the full server on the computer.

You can also use the command line to import, export, or validate LDIF data.

v To import data from an LDIF file, you can use either the idsldif2db or theidsbulkload utility.

v

To export data to an LDIF file, use the idsdb2ldif utility.v To validate the data in the LDIF file, use the idsbulkload utility.

See the IBM Tivoli Directory Server Version Command Reference for information aboutthe idsldif2db, idsdb2ldif, and idsbulkload commands.

Importing LDIF data with the Configuration Tool

Attention: If you want to import LDIF data from another server instance, theLDIF import file must be cryptographically synchronized with the server instancethat is importing the LDIF file; otherwise any AES-encrypted entries in the LDIFfile will not be imported. See Appendix E, “Synchronizing two-way cryptography

between server instances,” on page 165 for information about synchronizingdirectory server instances. If you selected the Export data for AES-enableddestination server check box when exporting the data with the Configuration Tool(see step 5 on page 127), the LDIF import file is cryptographically synchronizedwith the server instance that is importing the LDIF file.

Before you being to import data, also consider the following information:

Notes:

1. This option is not available if you are configuring a proxy server or if you havenot installed the full server on the computer.

2. Before you import the data from an LDIF file, be sure to add any necessarysuffixes. See “Adding a suffix” on page 121 for information about adding a

suffix.3. The server must be stopped before you import LDIF data.

To import data from an LDIF file:

1. In the Configuration Tool, click Import LDIF data in the task list on the left.

2. In the Import LDIF data window on the right, type the path and file name of the LDIF file in the Path and LDIF file name field. Alternatively, you can clickBrowse to locate the file.

3. If you want trailing spaces removed from the data, select the Remove trailingspaces in Standard import or Bulkload check box.

4. Click Standard import if you want to import the data using the idsldif2dbutility, or click Bulkload if you want to import the data using the idsbulkload

utility.

Note: For large LDIF files, the idsbulkload utility is a faster alternative toidsldif2db if you are importing a large number of entries.

5. If you clicked Bulkload, select the type or types of checking you want toperform on the LDIF data in the Bulkload options box. You can select one ormore of the following:

v Enable schema checking

v Enable ACL checking

v Enable password policy




Restoring the database

You can use the Configuration Tool or the command line to restore data and,optionally, configuration settings that were previously backed up.

v Updating statistics related to the data tables for the purpose of improvingperformance and query speed


The server must be stopped before you can restore the database.

Notes:

1. A database can be restored only into a database and database instance with thesame names that were used for the database backup.

2. The restore function works only if a database is currently configured for agiven directory server instance. The restore function restores the backupdatabase into the currently configured database. The command fails if the

backed up database instance and database do not match the configured

database instance and database. Additionally, the restore function requires thatthe database location of the backed up database and the database it is restoringare the same.

Using the Configuration ToolTo restore the database using the Configuration Tool:

1. In the Configuration Tool, click Restore database in the task list on the left.

2. In the Restore database window on the right, in the Restore directory field,type the path in which the directory was previously backed up. Alternatively,click Browse to locate the path.

3. If you want to restore only the directory data, but not the configurationsettings, select the Restore data only (not configuration settings) check box. If

you want to restore both data and configuration settings, be sure the check boxis cleared.

4. Click Restore.

Using the command lineFor information about using the idsdbrestore command to restore a previously

backed up database, see the IBM Tivoli Directory Server version 6.1 CommandReference.

This command cannot be used for proxy server instances.

Optimizing the databaseOptimize the database to update statistics related to the data tables; this canimprove performance and query speed. Perform this action periodically or afterheavy database updates; for example, after importing database entries.

The server must be stopped before you can optimize the database.





a path with no spaces and no quotation marks, or use the short namewhen you specify the path. For example, if you wanted to specify theC:\Program Files\IBM\TDI\V6.1.1 directory, you could usec:\Progra~1\IBM\TDI\V6.1.1) to avoid spaces in the path.

2. Optionally, load the sample users.ldif and groups.ldif files into the ActiveDirectory Server. Use the documentation for Active Directory Server.

3. Configure Active Directory synchronization using the IBM Tivoli DirectoryServer Configuration Tool or the idsacscfg command. Configuring ActiveDirectory synchronization generates the adsync_private.prop andadsync_public.prop files. See “Configuring Active Directory synchronizationwith the Configuration Tool” for information.

4. Modify the adsync_public.prop file to customize optional attributes and SSLparameters, if needed. See the IBM Tivoli Directory Server Version 6.1 Administration Guide for information. (If you are using SSL, be sure to see theSSL setup information also.)

5. Start Active Directory synchronization, using the idsadsrun command. You areasked if you want to fully synchronize, followed by real time synchronization,or only start real time synchronization. See the IBM Tivoli Directory ServerVersion 6.1 Command Reference for information.

Note: If there are errors in the parameters specified for Active Directory, theseerrors will not be found during configuration, but during runtime (whenyou use the idsadsrun command). If errors are reported during runtimein the Active Directory parameters, you must reconfigure the ActiveDirectory parameters correctly using the Configuration Tool (in theActive Directory synchronization: Active Directory details window) orthe idsadscfg command.

Changes made to the Active Directory entries will be read by the ActiveDirectory synchronization, which listens for changes.

Active Directory synchronization will synchronize any changes to the IBMTivoli Directory Server directory. The IBM Tivoli Directory Integrator

Administration and Monitoring Console can be used for further administrationand monitoring.

Configuring Active Directory synchronization with theConfiguration Tool

To configure Active Directory synchronization with the Configuration Tool:

1. In the Configuration Tool, click Active directory synchronization in the tasklist on the left. The Active Directory synchronization: Instance Details windowopens. Use this window to provide information about the directory serverinstance you want to synchronize with Active Directory. The information youprovide will be saved in the adsync_private.properties andadsync_public.properties files, which are in the etc\tdisoldir subdirectory of the directory server instance.

2. In the Directory suffix field, type the IBM Tivoli Directory Server suffix youwant to use for Active Directory synchronization. (The LDAP URL field iscompleted with the URL for the directory server instance. You cannot edit thisfield.)

3. In the Group container entry DN field, type the DN of the container intowhich groups from Active Directory will be copied. (This container mustexist.)

Groups and the memberships of users in groups are kept synchronized between Active Directory and IBM Tivoli Directory Server. When a user is




added to or removed from a group in Active Directory, the user will be addedto or removed from the corresponding group in IBM Tivoli Directory Server.

4. In the User container entry DN field, type the DN of the container into whichusers from Active Directory will be copied. (This container must exist.)

5. If you want to use an SSL connection to Active Directory, select the Use SSLconnection to Active directory check box. (Using an SSL connection to IBM

Tivoli Directory Server is not supported.) See the IBM Tivoli Directory Server Administration Guide for information about additional setup that is required foran SSL connection.

6. Click Next. The Active Directory synchronization: Active Directory detailswindow opens. Use this window to provide information about your ActiveDirectory setup before you synchronize with IBM Tivoli Directory Server.

7. In the Host address field, type the hostname or IP address of the ActiveDirectory domain controller.

8. In the Host port field, type the port used by Active Directory.

9. In the Login name and Login password fields, type the login name andpassword that IBM Tivoli Directory Integrator will use to bind to ActiveDirectory. The ID must have sufficient permission to read the Active Directory

entries that are to be propagated to the directory server instance.10. In the Search base field, type the subtree in Active Directory from which the

changes to the directory server instance will be made. Only changes to usersin this subtree will be propagated to the directory server instance. In mostcases, set the search base to the top of the Active Directory tree, so that allusers in Active Directory groups will be found and copied to the directoryserver instance.

11. In the Group container entry DN field, type the DN for the Active Directorycontainer from which groups in Active Directory will be synchronized to thedirectory server instance.

12. In the User container entry DN field, type the DN for the Active Directorycontainer that contains the user entries in Active Directory to be synchronized

to the directory server instance.When a user is added to Active Directory, the user will be added to thedirectory server instance only if it is in this container. When an existing user ismoved into this container, the user will be added to the directory serverinstance. The user’s group memberships will also be checked and the user will

be added to any groups in IBM Tivoli Directory Server that are synchronizedwith Active Directory. When an existing user is moved out of this container,the user will be deleted from IBM Tivoli Directory Server, and the user will bedeleted from all groups in IBM Tivoli Directory Server.

If the user container names from Active Directory are changed dynamically(while Active Directory synchronization is running), you must reconfigureActive Directory synchronization with the new names or Active Directory

synchronization will stop and no longer run until the names are reconfigured.You can specify multiple user containers to synchronize with a singleorganizational unit (OU) in Tivoli Directory Server by using the semicolon (;)as a separator. (Other characters used as separators are not supported.) If youuse the semicolon (;) separator, enclose the argument in quotation marks (″),as shown in the following example:"ou=SWUGroups,dc=adsync,dc=com;ou=STGGroups,dc=adsync,dc=com"

The sAMAccountName attribute from Active Directory will be used tocompose the $dn attribute in Tivoli Directory Server. Because the




sAMAccountName attribute is unique in a domain, there will not be conflictswhen synchronizing multiple Active Directory user containers to a singleTivoli Directory Server OU.

13. Click Finish. The Active Directory synchronization: Results window opens.This window shows the time at which Active Directory synchronizationconfiguration started, the amount of time that has passed since ActiveDirectory synchronization configuration began, and any messages that occurduring configuration.

14. Click Close when the configuration process is complete.

Configuring Active Directory synchronization with thecommand line

You can use the idsadscfg command to configure Active Directory synchronization.For example:

idsadscfg -I inst1 -adH ldap://9.182.191.134:389 -adb dc=adsynctest,dc=com -adDcn=administrator,cn=users,dc=adsynctest,dc=com -adw sec001ret -adg ou=testgroup1,dc=adsynctest,dc=com -adu ou=testuser1,dc=adsynctest,dc=com -idss o=ibm,c=us -idsgou=Testgroup1,ou=groups,o=ibm,c=us -idsu ou=Testuser1,ou=users,o=ibm,c=us

Tuning the performance of the directory server

The Performance Tuning tool makes recommendations about performance tuningsettings (the directory server caches and DB2 buffer pools) based on input youprovide about the directory server instance. The tool can also update these settings.

Additionally, if your directory server instance has been deployed and running forsome time, the tool monitors the performance of the directory server instance anddisplays database ″health check″ information.

For best performance, always run the Performance Tuning tool on new directoryserver instances, as soon as the initial directory data is loaded. Then run the tool

again periodically, especially after you add a significant number of entries or makemajor changes to the content of entries (such as adding a new set of attributes toeach entry).


Performance tuning with the Configuration ToolTo run the Performance Tuning tool with the Configuration Tool:

1. In the Configuration Tool, click Performance tuning in the task list on the left.The Performance tuning: administrator input window opens.

Note: When the window opens, the message "Loading total number of entriesand average entry size from server instance database" is displayed atthe top of the window. Wait until the message is removed before youtype information in the fields.

Use this window to provide information that the Performance Tuning tool willuse to calculate the following settings for the directory server instance:

v Entry cache size

v Filter cache size

v Group Member Cache size

v Group Member Cache Bypass Limit




8. If you want the tool to provide the most thorough performance analysis, selectthe Enable collection of additional system data for extended tuning check

box. The Performance Tuning tool will run for 5 minutes and collect andanalyze data about the directory server instance, and then makerecommendations about the settings for the following DB2 parameters inaddition to the settings recommended when you do not enable extendedtuning:

v SORTHEAP

v MAXFILOP

v DBHEAP

v CHNGPGS_THRESH

v NUM_IOSERVERS

v NUM_IOCLEANERS

Recommendations for these DB2 parameters are made in the perftune_stat.logfile for the directory server instance.

Notes:

a. The directory server instance must have been running for some time

before there will be enough DB2 data available to do the database healthcheck analysis and make any recommendations for these settings.

b. Selecting this check box enables the DB2 monitor switches BUFFERPOOLand SORTHEAP. The performance of the directory server instance is likelyto degrade while these switches are enabled and the data is beingcollected.

c. To get accurate data for the best tuning for your directory server instance,select the Enable collection of additional system data for extended tuningcheck box during a time when directory activity is typical for yourenvironment. Running the database health check when the directory serveris less busy than usual does not result in optimum performancerecommendations.

9. Click Next. The Performance tuning: verification window opens. Use thiswindow to verify that you want to use the performance tuning settingscalculated by the Performance Tuning tool.

10. Inspect the settings recommended by the tool.

The Database health status table is not completed if this is a new directoryserver instance with no database activity yet. The table is completed if thePerformance Tuning tool has collected information about at least oneDB2-related parameter. The information is also logged in the perftune_stat.logfile.

If the database is populated and has had enough activity, information aboutthe following DB2 parameters is displayed:

v DB2 NUM_IOSERVERS

v DB2 NUM_IOCLEANERS

v CATALOGCACHE_SZ

v PCKCACHESZ

v LOGFILSIZ

v LOCKLIST

If you selected the Enable collection of additional system data for extendedtuning check box on the Performance tuning: administrator input window,information about the following DB2 parameters is also displayed:

v SORTHEAP




Chapter 14. After you install and configure

After you install the server, create the directory server instance, set theadministrator DN and password, and configure the database (for a full server

only), you can start the directory server instance. If you installed the WebAdministration Tool and Embedded WebSphere Application Server, you can alsostart the Web application server.

Starting the directory server instance

To start the directory server instance using the command line, go to the sbinsubdirectory of the directory where you installed IBM Tivoli Directory Server. Thisdirectory is:

v C:\Program Files\IBM\LDAP\V6.1\sbin by default on Windows systems

v /opt/IBM/ldap/V6.1/examples/sample.ldif on AIX, Solaris, and HP-UXsystems

v /opt/ibm/ldap/V6.1/examples/sample.ldif on Linux systems

Type the following commands at a command prompt:

idsslapd -I instancenameidsdiradm -I instancename

instancename is the name of the directory server instance you want to start. (Youmust start both the directory server instance and the administration server for theinstance for all functions of the Web Administration Tool to work.)

On Windows systems, you can also start and stop the directory server instancethrough the Services folder.

v

To start the directory server instance, in the Services folder:1. Click IBM Tivoli Directory Server Instance V6.1 - instancename. Then click

Action -> Start.

2. Click IBM Tivoli Directory Admin Daemon V6.1 - instancename. Then clickAction -> Start.

v To stop the directory server instance, in the Services folder:

1. Click IBM Tivoli Directory Server Instance V6.1 - instancename. Then clickAction -> Stop.

2. Click IBM Tivoli Directory Admin Daemon V6.1 - instancename. Then clickAction -> Stop.

instancename is the name of the directory server instance you want to start or stop.

For information about starting and stopping the server and performing otheradministrative tasks using the Web Administration Tool and the command line, seethe IBM Tivoli Directory Server Version 6.1 Administration Guide.




Starting the Web application server to use the Web Administration

Tool

If you installed IBM Tivoli Directory Server using the InstallShield GUI installationprogram, the Web application server is started automatically. These instructions areprovided in case you need to start it manually.

To start the Web application server if you are using Embedded WebSphereApplication Server as your Web application server:

Type one of the following at a command prompt.

v WASPath\profiles\TDSWebAdminProfile\bin\startServer.bat server1 forWindows systems

v WASPath/profiles/TDSWebAdminProfile/bin/startServer.sh server1 for AIX,Linux, Solaris, or HP-UX systems

where WASPath is the path where you installed Embedded WebSphere ApplicationServer. This path is:

v

By default on Windows: c:\Program Files\IBM\LDAP\V6.1\appsrvv On AIX, Solaris, and HP-UX: /opt/IBM/ldap/V6.1/appsrv

v On Linux: /opt/ibm/ldap/V6.1/appsrv

Starting the Web Administration Tool

To start the Web Administration Tool:

1. After you have started the Web application server, from a Web browser, typethe following address: http://localhost:12100/IDSWebApp/IDSjsp/Login.jsp

The IBM Tivoli Directory Server Web Administration Tool Login page isdisplayed.

Note: This address works only if you are running the browser on the computeron which the Web Administration Tool is installed. If the WebAdministration Tool is installed on a different computer, replacelocalhost with the hostname or IP address of the computer where theWeb Administration Tool is installed. You can use the ipconfig commandto find the IP address of the computer.

2. Log in to the console as the console administrator, using the followinginstructions:

a. Be sure that Console Admin is displayed in the LDAP Hostname field.

b. In the Username field, type superadmin.

c. In the Password field, type secret.

The IBM Tivoli Directory Server Web Administration Tool console is displayed.3. Add the server to the console, using the following instructions:

a. Expand Console administration in the navigation area.

b. Click Manage console servers. A table of server host names and portnumbers is displayed.

c. Click Add.

d. Type the hostname or the IP address of the server in the Hostname field;for example, myserver.mycity.mycompany.com

e. Specify the server port number in the Port field and the Admin daemonport number in the Administration port field.




f. Select the Enable SSL encryption check box if the server is SSL-enabled.

g. Click OK, and then click OK again on the confirmation panel.

4. Click Logout in the navigation area.

5. Log in as the directory server instance administrator:

a. On the IBM Tivoli Directory Server Web Administration Login Tool page,select the LDAP host name or IP address for your computer from the

drop-down menu for the LDAP Hostname field.b. Type the administrator DN and the password for the directory server

instance. You specified these fields during instance creation.

c. Click Login on the lower left side of the window.

For detailed information about using the Web Administration Tool, see the IBMTivoli Directory Server Version 6.1 Administration Guide.

Stopping the Web application server

Use one of the following commands to stop the Web application server:

v On Windows systems:

WASPath\profiles\TDSWebAdminProfile\bin\stopServer.bat server1v On AIX, Linux, Solaris, or HP-UX systems:

WASPath/profiles/TDSWebAdminProfile/bin/stopServer.sh server1

where WASPath is the path where you installed Embedded WebSphere ApplicationServer. This path is:

v By default on Windows: c:\Program Files\IBM\LDAP\V6.1\appsrv

v On AIX, Solaris, and HP-UX: /opt/IBM/ldap/V6.1/appsrv

v On Linux: /opt/ibm/ldap/V6.1/appsrv

Setting kernel parameters on Solaris or HP-UX systems

On Solaris and HP-UX systems, you might need to update kernel parameters inthe /etc/system file before you use the database.

A utility called db2osconf is provided with some versions of DB2 for Solaris andHP-UX. The db2osconf utility determines the correct kernel settings for yourcomputer. The command for configuring kernel parameters varies by operatingsystem, hardware, and DB2 version.

For more information, see the DB2 documentation. You can also search DB2technotes for additional information.

Chapter 14. After you install and configure 139

http://www.ibm.com/software/data/db2/library/





a. At a command prompt, go to the IBM Tivoli Directory Server _uninstdirectory.

– On AIX, Solaris and HP-UX systems, this directory is/opt/IBM/ldap/V6.1/_uninst.

– On Linux systems, this directory is /opt/ibm/ldap/V6.1/_uninst.

b. Run the uninstall command:

./uninstall2. Select the language you want to use during the uninstallation procedure. Click

OK.


4. Select the features you want to uninstall. Click Next. Be sure that you do notselect:

v The client unless you also select the Server and the Proxy Server

v The java client unless you also select the Server and the Proxy Server

v DB2 unless you also select the Server

If you remove features that are required for other features, your system is leftin an inconsistent state and unpredictable results will occur.

Note: If features are deselected, and then you re-select all features, be sure toselect the top check box (the Product Uninstallation check box) so thatthe InstallShield GUI removes everything associated with the product.The Product Uninstallation check box must always be selected unlessyou want to leave one or more features installed.

5. On the confirmation window, to uninstall the selected features, click Next.

6. If you are asked if you want to restart your computer now or later, select theoption you want. Click Finish.

Uninstalling language packs using the InstallShield GUI

This section describes how to uninstall the IBM Tivoli Directory Server languagepacks using the InstallShield GUI.

Notes:

1. If you installed the language packs using the InstallShield GUI, use theInstallShield GUI to uninstall.

To remove language packs using the InstallShield GUI:

1. To start the InstallShield GUI uninstallation program:


a. In the Control Panel, click Add/Remove Programs.

b. Select IBM Tivoli Directory Server 6.1 Language Pack. Click

Change/Remove.v On AIX, Linux, Solaris, and HP-UX systems: (The InstallShield GUI for

language packs is not available on Solaris X64 and HP-UX Integrity systems.)

a. At a command prompt, go to the IBM Tivoli Directory Server languagepack uninstallation directory.

– On AIX, Solaris, and HP-UX systems, this directory is/opt/IBM/ldap/V6.1/LangPack/uninstall

– On Linux systems, this directory is /opt/ibm/ldap/V6.1/LangPack/uninstall




b. Run the uninstall command: uninstaller.bin


3. Select the language packs you want to uninstall. Click Next.

4. On the confirmation window, to uninstall the selected features, click Next.

5. Click Finish when the uninstallation is complete.

Uninstalling using operating system utilities

Use one of the following procedures to uninstall IBM Tivoli Directory Server usingoperating system utilities for your operating system.

Notes:

1. If you installed IBM Tivoli Directory Server using the InstallShield GUI,uninstall using the process in “Uninstalling IBM Tivoli Directory Server usingthe InstallShield GUI” on page 141.

2. If you inadvertently uninstall IBM Tivoli Directory Server using operatingsystem utilities after installing using the InstallShield GUI, follow the process in“Uninstalling IBM Tivoli Directory Server using the InstallShield GUI” on page141 and the instructions in the IBM Tivoli Directory Server Problem DeterminationGuide for a failed installation to clean up your system files and registry.

3. Uninstalling IBM Tivoli Directory Server does not remove any databases youcreated using IBM Tivoli Directory Server.

AIX systemsYou can uninstall IBM Tivoli Directory Server from an AIX system using SMIT orinstallp.

SMIT removalTo uninstall IBM Tivoli Directory Server using SMIT:

1. Log in as root.

2. Type smit at a command prompt and press Enter.3. Select Software Installation and Maintenance.

4. Select Software Maintenance and Utilities.

5. Select Remove Installed software.

6. In the Software Name field, you can press F4 to display a list of installedsoftware. (You can search for idsldap in the list to display only the IBM TivoliDirectory Server packages.)

7. Select the packages you want to remove, and press Enter.

installp removalTo uninstall all of the IBM Tivoli Directory Server filesets using the installpcommand-line utility:

1. Log in as root.

2. Type the following at a command prompt:

installp -u idsldap

This removes only IBM Tivoli Directory Server filesets, but it does remove IBMTivoli Directory Server 6.0 filesets if you have any. It does not remove othercomponents such as DB2.

Chapter 15. Uninstalling IBM Tivoli Directory Server 143



Linux systemsThe following procedures show how to remove IBM Tivoli Directory Server froman xSeries Linux computer. If you do not have the full server installed, removeonly the packages that you do have installed, but be sure that you follow the ordershown. See “Installing IBM Tivoli Directory Server” on page 61 for package names.Before removing IBM Tivoli Directory Server, ensure that the server is stopped and

then issue the following commands.

Note: These instructions use Linux Intel-based packages. For zSeries, iSeries, orpSeries Linux, substitute the appropriate package names.

1. Log in as root.

2. Uninstall the English messages:

rpm -ev idsldap-msg61-en-6.1.0-0

3. Do one of the following, based on what you want to uninstall:

v For a 32-bit server (such as xSeries Linux):

– Uninstall the full server (and the client) by typing the following at acommand prompt:

rpm -ev idsldap-srv32bit61-6.1.0-0rpm -ev idsldap-srvbase32bit61-6.1.0-0rpm -ev idsldap-cltjava61-6.1.0-0rpm -ev idsldap-clt32bit61-6.1.0-0rpm -ev idsldap-cltbase61-6.1.0-0

– Uninstall the proxy server (and the client) by typing the following at acommand prompt:

rpm -ev idsldap-srvproxy32bit61-6.1.0-0rpm -ev idsldap-srvbase32bit61-6.1.0-0rpm -ev idsldap-cltjava61-6.1.0-0rpm -ev idsldap-clt32bit61-6.1.0-0rpm -ev idsldap-cltbase61-6.1.0-0rpm -ev idsldap-ent61-6.1.0-0

– Uninstall only the 32-bit client by typing the following at a command

prompt: (If you have a server installed, you must uninstall it before youcan uninstall the client.)

rpm -ev idsldap-clt32bit61-6.1.0-0rpm -ev idsldap-cltbase61-6.1.0-0

v For a 64-bit server (such as iSeries Linux):

– Uninstall the full server (and the client) by typing the following at acommand prompt:

rpm -ev idsldap-srv64bit61-6.1.0-0rpm -ev idsldap-srvbase64bit61-6.1.0-0rpm -ev idsldap-cltjava61-6.1.0-0rpm -ev idsldap-clt64bit61-6.1.0-0rpm -ev idsldap-cltbase61-6.1.0-0

– Uninstall the proxy server (and the client) by typing the following at a

command prompt:rpm -ev idsldap-srvproxy64bit61-6.1.0-0rpm -ev idsldap-srvbase64bit61-6.1.0-0rpm -ev idsldap-cltjava61-6.1.0-0rpm -ev idsldap-clt64bit61-6.1.0-0rpm -ev idsldap-cltbase61-6.1.0-0rpm -ev idsldap-ent61-6.1.0-0

– Uninstall only the 64-bit client by typing the following at a commandprompt: (If you have a server installed, you must uninstall it before youcan uninstall the client.)




rpm -ev idsldap-clt64bit61-6.1.0-0rpm -ev idsldap-cltbase61-6.1.0-0

To uninstall only the Web Administration Tool, type the following at a commandprompt:

rpm -ev idsldap-webadmin61-6.1.0-0

Solaris systemsYou can uninstall IBM Tivoli Directory Server using the admintool utility or from acommand line using pkgrm.

Command line removal using pkgrmTo see what IBM Tivoli Directory Server components are installed, type:

pkginfo | grep -i IDSl

The output displayed is similar to the following: (Only the installed packages aredisplayed.)

application IDSl32c61 IBM Directory Server - 32 bit Clientapplication IDSl64p61 IBM Directory Server - Proxy Server

application IDSl64s61 IBM Directory Server - 64 bit Serverapplication IDSl64c61 IBM Directory Server - 64 bit Clientapplication IDSlbc61 IBM Directory Server - Base Clientapplication IDSlbs61 IBM Directory Server - Base Serverapplication IDSljc61 IBM Directory Server - Java Clientapplication IDSlen61 IBM Directory Server - Messages U.S. English (en)application IDSlweb61 IBM Directory Server - Web Administrationapplication IDSlent61 IBM Directory Server - Entitlement

Use pkgrm to remove the desired packages. For example:

v To uninstall the full server (with the client and English messages), type:

pkgrm IDSlent61 IDSlen61 IDSl64s61 IDSlbs61 IDSljc61 IDSl64c61 IDSlbc61

v To uninstall the proxy server (with the client and English messages), type:

pkgrm IDSlent61 IDSlen61 IDSl64p61 IDSlbs61 IDSljc61 IDSl64c61 IDSlbc61

v To uninstall only the 32-bit client, type: (You cannot uninstall only the client if you have a server installed.)

pkgrm IDSl32c61 IDSlbc61

v To uninstall the 64-bit client, type:

pkgrm IDSl64c61 IDSlbc61

v To uninstall the Web Administration Tool package, type:

pkgrm IDSlweb61

Remove the packages in the reverse order of the installation sequence. (The orderin which you remove the Web Administration Tool is not important.)

HP-UX systemsTo remove IBM Tivoli Directory Server, complete the following steps:

1. Type swremove at a command prompt.

2. On the list that is displayed, select the IBM Tivoli Directory Server packagesyou want to remove.

3. Click Actions -> Mark For Remove.

4. Click Actions -> Remove.

5. Click OK when analysis is complete.

6. When removal is complete, click Done.

Chapter 15. Uninstalling IBM Tivoli Directory Server 145



7. Click File -> Exit.

Note: The subdirectories of /opt/IBM/ldap/V6.1/ and /var/idsldap/V6.1/ mightnot be removed when you uninstall IBM Tivoli Directory Server. You canuse the rm -rf command to remove these directories.




Appendix A. Directory structure of downloaded files

For each type of operating system, there are:

v .iso files that you can use to create CDs for installation

v .zip files (for Windows systems) or .tar files (for non-Windows systems) that youcan uncompress and use for installation

The sections that follow show the directory structure and, at a high level, thecontents of the .iso, .zip and .tar files for IBM Tivoli Directory Server 6.1 for eachtype of operating system.

Directory structure for Windows files

The directory structure for the Intel 32-bit Windows and AMD/EM64T Windowspackages is the same, though some file names are different.

The file names for the IBM Tivoli Directory Server 6.1 forWindows packages are:

Intel 32-bit Windows packages

Table 4. File names for Intel 32-bit Windows packages

CD number CD Image File name .zip File name

CD 1 tds61-win-ia32-cd1.iso tds61-win-ia32-cd1.zip




AMD/EM64T Windows packages

Table 5. File names for AMD/EM64T Windows packages


CD 1 tds61-win-x86_64-cd1.iso tds61-win-x86_64-cd1.zip




After you create the CDs or unzip the .zip files, the directory structure is asfollows:

v CD 1:

tdsV6.1 (Top level directory for unzipped file)—gskit\ (GSKit 7.0.3.30)—license\ (Licenses for IBM Tivoli Directory Server and

other provided products)—quickstart\ (Quick Start Guides in English and other languages)—tds\ (Installer files)—entitlement\ (Entitlement files for Proxy server)—tdsLangpack\ (IBM Tivoli Directory Server language packs)—tools\ (Tools including migbkup)




v CD 2:

tdsV6.1 (Top level directory for unzipped file)—db2\ (DB2 v9 Fix Pack 2)

v CD 3:

tdsV6.1 (Top level directory for unzipped file)—appsrv\ (Embedded WebSphere Application Server version 6.1.0.7)—tdi\ (IBM Tivoli Directory Integrator 6.1.1 server runtime and AMC)

v CD 4:

tdsV6.1 (Top level directory for unzipped file)—whitepages\ (Directory White Pages)—appsrv\ (Embedded WebSphere Application Server version 6.1.0.7)—license\ (License for White Pages)—entitlement\ (Entitlement files for White Pages)

Directory structure for AIX files

The file names for the IBM Tivoli Directory Server 6.1 for AIX packages are:AIX packages

Table 6. File names for AIX packages

CD number CD Image File name .tar File name

CD 1 tds61-aix-ppc64-cd1.iso tds61-aix-ppc64-cd1.tar




After you create the CDs or untar the .tar files, the directory structure is as follows:v CD 1:

tdsV6.1 (Top level directory for untarred file)—gskit/ (GSKit 7.0.3.30)—license/ (Licenses for IBM Tivoli Directory Server and

other provided products)—quickstart/ (Quick Start Guides in English and other languages)—tdsfiles/ (Operating system utility installation files)—tds/ (Installer files)—entitlement/ (Entitlement files for Proxy server)—tdsLangpack/ (IBM Tivoli Directory Server language packs)—tools/ (Tools including migbkup)

v CD 2:

tdsV6.1 (Top level directory for untarred file)—db2/ (DB2 v9 Fix Pack 2)

v CD 3:

tdsV6.1 (Top level directory for untarred file)—appsrv/ (Embedded WebSphere Application Server version 6.1.0.7)—tdi/ (IBM Tivoli Directory Integrator 6.1.1 server runtime and AMC)

v CD 4:




tdsV6.1 (Top level directory for untarred file)—whitepages/ (Directory White Pages)—appsrv/ (Embedded WebSphere Application Server version 6.1.0.7)—license/ (License for White Pages)—entitlement/ (Entitlement files for White Pages)

Note: The AIX files includes a 32-bit client in addition to the 64-bit client that is

installed through the InstallShield GUI installation program.

Directory structure for Linux files

The directory structure for the xSeries Linux, AMD64/EM64T Linux, zSeries Linux,and iSeries and pSeries Linux packages is the same, though some file names aredifferent.

The file names for the IBM Tivoli Directory Server 6.1 forLinux packages are:

xSeries Linux packages

Table 7. File names for xSeries Linux packages

CD number CD Image File name .tar File nameCD 1 tds61-linux-ia32-cd1.iso tds61-linux-ia32-cd1.tar

CD 2 tds61-linux-ia32-cd2.iso tds61-linux-ia32-cd2.tar



AMD64/EM64T Linux packages

Table 8. File names for AMD64/EM64T Linux packages


CD 1 tds61-linux-x86_64-cd1.iso tds61-linux-x86_64-cd1.tar




zSeries Linux packages

Table 9. File names for zSeries Linux packages


CD 1 tds61-linux-s390x-cd1.iso tds61-linux-s390x-cd1.tar




iSeries and pSeries Linux packages

Table 10. File names for iSeries and pSeries Linux packages


CD 1 tds61-linux-ppc64-cd1.iso tds61-linux-ppc64-cd1.tar


Appendix A. Directory structure of downloaded files 149



Table 10. File names for iSeries and pSeries Linux packages (continued)




After you create the CDs or untar the .tar files, the directory structure is as follows:v CD 1:


other provided products)—quickstart/ (Quick Start Guides in English and other languages)—tdsfiles/ (Operating system utility installation files)—tds/ (Installer files)—entitlement/ (Entitlement files for Proxy server)—tdsLangpack/ (IBM Tivoli Directory Server language packs)

—tools/ (Tools includingmigbkup

)v CD 2:


v CD 3:


v CD 4:


Note: The Linux for iSeries and pSeries files include a 64-bit client in addition tothe 32-bit client that is installed through the InstallShield GUI installationprogram.

Directory structure for Solaris SPARC files

The file names for the IBM Tivoli Directory Server 6.1 for Solaris SPARC packages

are:Table 11. File names for Solaris SPARC packages


CD 1 tds61-solaris-sparc-cd1.iso tds61-solaris-sparc-cd1.tar







After you create the CDs or untar the .tar files, the directory structure is as follows:

v CD 1:



v CD 2:


v CD 3:


v CD 4:


Directory structure for Solaris X64 files

The file names for the IBM Tivoli Directory Server 6.1 for Solaris X64 packages are:

Table 12. File names for Solaris X64 packages


CD 1 tds61-solaris-x86_64-cd1.iso tds61-solaris-x86_64-cd1.tar



Solaris X64 packages


v CD 1:


other provided products)—quickstart/ (Quick Start Guides in English and other languages)—tdsfiles/ (Operating system utility installation files)—tds/ (Installer files)—entitlement/ (Entitlement files for Proxy server)




—tdsLangpack/ (IBM Tivoli Directory Server language packs)—tools/ (Tools including migbkup)

v CD 2:


v

CD 3:

tdsV6.1 (Top level directory for untarred file)—appsrv/ (Embedded WebSphere Application Server version 6.1.0.7)

Directory structure for HP-UX PA-RISC files

The file names for the IBM Tivoli Directory Server 6.1 for HP-UX PA-RISCpackages are:

Table 13. File names for HP-UX PA-RISC packages


CD 1 tds61-hpux-parisc-cd1.iso tds61-hpux-parisc-cd1.tar





v CD 1:



v CD 2:


v CD 3:


v CD 4:





Directory structure for HP-UX Integrity files

The file names for the IBM Tivoli Directory Server 6.1 for HP-UX Integritypackages are:

Table 14. File names for HP-UX Integrity packages


CD 1 tds61-hpux-ia64-cd1.iso tds61-hpux-ia64-cd1.tar




v CD 1:



v CD 2:


v CD 3:

tdsV6.1 (Top level directory for untarred file)—appsrv/ (Embedded WebSphere Application Server version 6.1.0.7)




Appendix B. Disk space requirements for installable features

IBM Tivoli Directory Server requires the following amounts of disk space for eachinstallable feature. Information is given for each type of supported operating

system.

Windows disk space requirements

On Windows systems, the following amounts of disk space are required:

Table 15. Sizes of installable features (in MB) on Windows systems

Installable feature Installed size

Client SDK 25 MB

Java client 95 MB

Deployed Web Administration Tool (includes EmbeddedWebSphere Application Server, IBM Tivoli DirectoryIntegrator Administration and Monitoring Console, andWeb Administration Tool deployed into EmbeddedWebSphere Application Server)

352 MB

Base server 23 MB

Proxy server (Be sure to add the sizes for the Client SDK, Java client, and Base server.)

15 MB

Full server (Be sure to add the sizes for the Client SDK, Java client, and Base server)

22 MB

DB2 420 MB

IBM Tivoli Directory Integrator 232 MB

GSKit 11 MB

Note: If you install both the proxy server and the full directory server, add thesizes for the client, Java client, and base server only once.

AIX disk space requirements

On AIX systems, the following amounts of disk space are required:

Table 16. Sizes of installable features (in MB) on AIX systems


Client SDK 11 MB

Java client 143 MB


361 MB

SSL Web Administration Tool 51 MB

Base server 35 MB




Table 16. Sizes of installable features (in MB) on AIX systems (continued)



20 MB

Full server (Be sure to add the sizes for the Client SDK, Java client, and Base server.)

40 MB

DB2 450 MB


GSKit 40 MB


Linux disk space requirements

On Linux systems, the following amounts of disk space are required:

Table 17. Sizes of installable features (in MB) on Linux systems Installable feature Installed size

Client SDK 7 MB

Java client 175 MB


380 MB

Base server 32 MB

Proxy server (Be sure to add the sizes for the Client SDK,

Java client, and Base server.)

20 MB


25 MB

DB2 (xSeries Linux) 451 MB

DB2 (zSeries Linux) 425 MB

DB2 (iSeries and pSeries Linux) 451 MB


GSKit 40 MB

Note: If you install both the proxy server and the full directory server, add the

sizes for the client, Java client, and base server only once.

Solaris disk space requirements

On Solaris systems, the following amounts of disk space are required:

Table 18. Sizes of installable features (in MB) on Solaris systems


Client SDK 8 MB

Java client 135 MB




Table 18. Sizes of installable features (in MB) on Solaris systems (continued)



451 MB

Base server 36 MB


20 MB


15 MB

DB2 681 MB


GSKit 18 MB


HP-UX disk space requirements

On HP-UX systems, the following amounts of disk space are required:

Table 19. Sizes of installable features (in MB) on HP-UX systems


Client SDK 10 MB

Java client 160 MB

Deployed Web Administration Tool (includes Embedded

WebSphere Application Server, IBM Tivoli DirectoryIntegrator Administration and Monitoring Console, andWeb Administration Tool deployed into EmbeddedWebSphere Application Server)

451 MB

Base server 47 MB


47 MB


15 MB

DB2 681 MB


GSKit 16 MB


Appendix B. Disk space requirements for installable features 157



Appendix C. Configuration planning

Before configuring and populating your database, determine:

What type of data you are going to store in the directoryDecide what sort of schema you need to support the type of data you wantto keep in your directory. A standard set of attribute-type definitions andobject-class definitions is included with the directory server. Before you

begin adding entries to the directory, you might want to add newattribute-type and object-class definitions that are customized to your data.

Note: You can make schema additions after the directory is alreadypopulated with data, but schema changes might require you tounload and reload your data.

Which code page you are going to useDecide whether to create your database using the local code page or usingthe Universal Character Set (UTF-8). Selecting the local code page enablesIBM Tivoli Directory Server applications and users to get search results asexpected for the collation sequence of the native language, but allows onlydata in that specific code page to be stored in the directory. Using UTF-8enables the storing of any UTF-8 character data in the directory. IBM TivoliDirectory Server clients running anywhere in the world (in any UTF-8supported language) can access and search the directory. In many cases,however, the client might have limited ability to properly display theresults retrieved from the directory in a particular language or characterset. See Appendix O, “UTF-8 support,” on page 189 for more information.

Note: If you want to use language tags, the database must be a UTF-8database.

How you want to structure your directory dataAn IBM Directory is stored in a hierarchical tree structure. The names of entries in the directory are based on their relative position within the treestructure. It is important to define some logical organization to thedirectory. A logical organization makes it easier for clients to determinewhich branch of the tree contains the information they are trying to locate.

Your data security requirementsSee the Secure Sockets Layer information in the IBM Tivoli Directory ServerVersion 6.1 Administration Guide for information about how your data issecured.

How you want to allocate access permissionsSee the access control lists information in the IBM Tivoli Directory Serverversion 6.1 Administration Guide for information about using accesspermissions.

Whether you need a proxy serverIf the directory data is large and the environment is write-intensive,consider using a proxy server. Large directory environments that areread-heavy might be able to achieve adequate scaling by introducingreplication. Before deciding to use a proxy server, refer to the list of supported features within the proxy server in the IBM Tivoli DirectoryServer Version 6.1 Administration Guide. Proxy server supports fewer featuresthan the directory server alone.




Appendix D. Setting up users and groups: directory serverinstance owner, database instance owner, and databaseowner

When you create a directory server instance, a user ID on the operating systemmust exist for the directory server instance owner. For a full server, there must also

be user IDs on the operating system for the owners of the database instance andthe database. You can use the same user ID for all three roles; if you do this, thedirectory server instance, the database instance, and the database owner all havethe same name.

If you use the Instance Administration Tool to create a directory server instance,you can create the directory server instance owner user ID through the tool. If youuse the command line to create the directory server instance, you can use theidsadduser command to create the directory server instance owner user ID. Thiscommand creates a user ID that meets all requirements.

Use the following information to understand the directory server instance owner,database instance owner, and database owner roles before you create the user IDor IDs.

The roles are defined as follows:

Directory server instance ownerYou must have a user ID for the owner of the directory server instance.The user ID for the directory server instance owner is also the name of thedirectory server instance. This user has the authority to manage thedirectory server instance.

On Windows systems, any member of the Administrators group also hasthe authority to manage the directory server instance.

On AIX, Linux, Solaris, and HP-UX systems, the primary group of thedirectory server instance owner also has the authority to manage thedirectory server instance.

Note: On AIX, Linux, Solaris, and HP-UX systems, these names arecase-sensitive. You must always specify the directory server instancename and owner exactly as the user ID is specified. For example,JoeSmith and joesmith are different names.

Database instance ownerThis user ID owns the database instance that is configured to be used by

the directory server instance. The database instance name and the databaseinstance owner name are the same. This user manages the databaseinstance. The directory server instance owner can also manage the databaseinstance. By default, this user ID is the same as the directory serverinstance owner ID.

Database ownerThis user ID owns the database that is used by the directory serverinstance to store the directory data. The database resides in the databaseinstance owned by the database instance owner. The directory serverinstance uses this user ID and its password to connect to the database.




Naming rules

The requirements in this section apply to the following:

v The directory server instance name (the user ID that owns the directory serverinstance).

v The database instance name (the user ID that owns the database instance). This

is usually the same as the directory server instance name.v On AIX, Linux, Solaris, and HP-UX, the primary groups of the directory server

instance owner user ID and the database instance owner user ID.

These user and group IDs:

v Can be no longer than 8 characters

v Cannot be any of the following:

– USERS

– ADMINS

– GUESTS

– PUBLIC

– LOCAL– idsldap

v Cannot begin with any of the following:

– IBM

– SQL

– SYS

v Cannot include accented characters

v Can include the following characters:

– A through Z

– a through z

– 0 through 9v Must begin with one of the following characters:

– A through Z

– a through z

Additional restrictions for users and groups

In addition to the naming rules, be sure that the following requirements are met:

v On Windows systems,

– The directory server instance owner and the database instance owner must bemembers of the Administrators group.

– The database instance owner must have the locale set to the correct locale forthe language in which you want server messages to be displayed. If necessary, log in as the user and change the locale to the correct one.


– The root ID must be a member of the primary group of the directory serverinstance owner and the database instance owner.

– The root ID must be a member of the idsldap group.

– The directory server instance owner and the database instance owner must bemembers of the idsldap group.




– The directory server instance owner and the database instance owner musthave home directories.

– The specific permissions for the home directory of the directory serverinstance owner must be as follows:

- The user ownership is the directory server instance owner.

- The group ownership is the directory server instance owner’s primary

group.- The directory server instance owner and its primary group must have read,

write, and execute permissions to the home directory.

– The directory server instance owner and its primary group must have read,write, and execute access to the location where the database will be created.

– If the directory server instance owner and the database instance owner for agiven directory server instance are different users, the directory serverinstance owner must be a member of the database instance owner’s primarygroup.

– The database instance owner and the database owner for a given directoryserver instance must have the same primary group.

– For best results, the login shell of the directory server instance owner, thedatabase instance owner, and the database owner should be the Korn shellscript (/usr/bin/ksh).

– The password of the directory server instance owner, the database instanceowner, and the database owner must be set correctly and ready to use. Forexample, the password cannot be expired or waiting for a first-time validationof any kind. (The best way to verify that the password is correctly set is totelnet to the same computer and successfully log in with that user ID andpassword.)

– When configuring the database, it is not necessary, but customary, to specifythe home directory of the database instance owner as the database location.However, if you specify some other location, the database instance owner’shome directory still must have 3 to 4 MB of space available. This is because

DB2 creates links and adds files into the home directory of the databaseinstance owner even though the database itself is elsewhere. If you do nothave enough space in the home directory, you can either create enough spaceor change the database instance owner’s home directory.

Creating instance owners: examples

You can use the idsadduser command to create instance owners that meet therequirements for a directory server instance owner.

For example:

v The following command creates a new user on an AIX, Linux, Solaris, or HP-UX

system with user name JoeSmith. The primary group is employees, the homedirectory is /home/joe, and the password is joespw.

idsadduser –u JoeSmith –g employees –l /home/joe –w joespw

v The following command creates a new user on a Windows system with username JoeSmith and password joespw. The user is a member of theAdministrators group.

idsadduser –u JoeSmith –w joespw

Appendix D. Setting up users and groups: directory server instance owner, database instance owner, and database owner 163



Appendix E. Synchronizing two-way cryptography betweenserver instances

If you want to use replication, use a distributed directory, or import and exportLDIF data between server instances, you must cryptographically synchronize theserver instances to obtain the best performance. (If you create a directory serverinstance as a copy of an existing directory server instance, the two directory serverinstances are cryptographically synchronized and you do not need to synchronizethem.)

If you already have a server instance, and you have another server instance thatyou want to cryptographically synchronize with the first server instance, use thefollowing procedure before you do any of the following:

v Start the second server instance

v Run the idsbulkload command from the second server instance

v

Run the idsldif2db command from the second server instance

To cryptographically synchronize two server instances, assuming that you havealready created the first server instance:

1. Create the second server instance, but do not start the server instance, run theidsbulkload command, or run the idsldif2db command on the second serverinstance.

2. Use the idsgendirksf utility on the second server instance to recreate theibmslapddir.ksf file (the key stash file) from the first server instance. This file isused to replace the second server instance's original ibmslapddir.ksf file. Forinformation about the idsgendirksf utility, see the IBM Tivoli Directory ServerVersion 6.1 Administration Guide. The file is in the idsslapd-instance_name\etcdirectory on Windows systems, or in the idsslapd-instance_name/etc directoryon AIX, Linux, Solaris, and HP-UX systems. (instance_name is the name of thedirectory server instance).

3. Start the second server instance, run the idsbulkload command, or run theidsldif2db command on the second server instance.

The server instances are now cryptographically synchronized, and AES-encrypteddata will load correctly.

Although the procedure discusses two server instances, you might need a group of server instances that are cryptographically synchronized.

Note: When importing LDIF data, if the LDIF import file is not cryptographically

synchronized with the server instance that is importing the LDIF data, anyAES-encrypted entries in the LDIF import file will not be imported.




Appendix F. Directory server instances

A directory server instance consists of all files that are required for a directoryserver and its corresponding administration daemon to run on a computer. The

administration daemon (idsdiradm) enables remote management of the directoryserver instance. When it is running, the administration daemon supports starting,stopping, restarting, and monitoring the status of the directory server instance.

Directory server instance files include:

v The ibmslapd.conf file (the configuration file)

v Schema files

v Log files

v Key stash files

v Temporary status files

The files for a directory server instance are stored in a directory namedidsslapd-instance_name, where instance_name is the name of the directory serverinstance.

Note: If you are using SSL, the SSL key database, Java keystore, and the Kerberoskey tab files are not directly part of a directory server instance. A defaultSSL key database attribute value exists in the ibmslapd.conf file of eachdirectory server instance. However, it is the responsibility of the directoryserver instance owner to do the following:

v Create the SSL key database, the key stash file, and the Kerberos key tabas needed

v Add the information into the ibmslapd.conf file of the directory serverinstance

. These files can be shared by multiple directory server instances on thecomputer and should be stored in a secure location on the system that isindependent of a given directory server instance.

Directory server instance content on Windows systems

On Windows systems, the idsslapd-instance_name directory is in the root directoryof a drive that you specify during instance creation.

The directory server instance owner user ID and by all members of theAdministrators group have read and write access to files in theidsslapd-instance_name directory.

The idsslapd-instance_name directory on Windows systems contains the followingsubdirectories and files:

v etc

v tmp

v logs

v idsprofile.bat

v userprofile.bat




The idsprofile.bat file is used to set the environment for the directory serverinstance. The userprofile.bat file is used to customize the environment. Theidsprofile.bat file invokes the userprofile.bat file after setting the environment. If you want to customize the environment, be sure to change the userprofile.bat fileand not the idsprofile.bat file.

Directory server instance content on AIX, Linux, Solaris, and HP-UXsystems

On AIX, Linux, Solaris, and HP-UX systems, the idsslapd-instance_name directoryis, by default, in the directory server instance owner’s home directory, but you canspecify a different location during instance creation.

For AIX, Linux, Solaris, and HP-UX systems, the idsslapd-instance_name directorycontains the following subdirectories and files:

v adworkdir

v db2instance –> DB2_instance_directory (for example, /home/ldapdb2/sqllib)

v etc

v

idsprofilev logs

v tmp

v userprofile

v workdir

The idsprofile file is used to set the environment for the directory server instance.The userprofile file is used to customize the environment. The idsprofile fileinvokes the userprofile file after setting the environment. If you want to customizethe environment, be sure to change the userprofile file and not the idsprofile. file.

Files in the idsslapd-instance_name directory are owned by the directory server

instance owner user ID and the primary group of the directory server instanceowner user ID.




Appendix G. Preparing for copying an instance or for onlinebackup and restore

Online backup and restore is used when you make a copy of a directory serverinstance and copy the data to the new instance. Before the directory server instancecan be copied, you must do the following on the directory server instance that will

be copied.

On the directory server instance you are making a copy of:

1. Determine a location to store files to be used for recovery purposes. This can be, for example, a backup computer or separate media.

In the steps that follow, a directory named /largespace is used to store the files.The DB2 instance owner must have write permission for the /largespacedirectory. The logs and backup files should not be kept on the same filesystemas the directory database.

The directory server instance and the database are both named ldapdb2 in theexample. Substitute the name of the directory server instance you want to copyfor ldapdb2 and the location where you are storing the backup files for /largespace when you run the commands.

2. Make sure that ibmslapd is not running by using the following command:

ibmslapd –I ldapdb2 -k

3. Specify where the log files will be kept, as shown in the following command:

db2 update db config for ldapdb2 using newlogpath /largespace/db2logs-ldapdb2

(For this example, the log files are stored in the /largespace/db2logs-ldapdb2directory.)

4. Update the directory server instance database for online backup support (set

logretain on):db2 update db config for ldapdb2 using logarchmeth1 logretaindb2 force applications alldb2stopdb2start

Note: In the LOGRETAIN mode, it is important to monitor the disk spaceavailable for the log files because if the disk fills up, directory updateswill not be possible until the condition is corrected.

5. After logretain is set to recovery, you must make a full offline backup. Createa full database offline backup by using the following command:

db2 backup db ldapdb2 to /largespace/full-ldapdb2

(The backup files for this example are stored in the /largespace/full-ldapdb2directory.)

6. Restart the directory server instance:

ibmslapd –I ldapdb2

For complete information about online backup and restore, see the IBM TivoliDirectory Server V6.1 Administration Guide.




Appendix H. Installing, configuring, and uninstallingEmbedded WebSphere Application Server

To use the Web Administration Tool, a Web application server is required.Embedded WebSphere Application Server 6.1.0.7 is provided with IBM TivoliDirectory Server 6.1 as a Web application server.

If you use the InstallShield GUI to install the Web Administration Tool, you canselect Embedded WebSphere Application Server for installation. In this case,configuration is also done automatically.

If you use native installation methods, you can install and configure EmbeddedWebSphere Application Server manually. If you already have EmbeddedWebSphere Application Server 6.1.0.7 installed, you must configure manually

before you can use the Web Administration Tool.

Manually installing and configuring Embedded WebSphere ApplicationServer

The following instructions show how to manually install Embedded WebSphereApplication Server, and then how to deploy the Web Administration Tool into it. If you install the Web Administration Tool and Embedded WebSphere ApplicationServer through the InstallShield GUI, this setup is done for you.

Installing Embedded WebSphere Application ServerTo manually install Embedded WebSphere Application Server, use the followingprocedure:

1. After you download and unzip (or untar) the IBM Tivoli Directory Server zipor tar files, change directories to the directory where you expanded the files,and then change to the appsrv subdirectory.

2. Type the following command at a command prompt:


install.bat -installRoot EWAS_installpath


install.sh -installRoot EWAS_installpath

where EWAS_installpath is the directory where you are installing EmbeddedWebSphere Application Server. By convention, this directory is the appsrvsubdirectory of the directory where IBM Tivoli Directory Server is installed, butyou can use any directory. (This directory is /opt/IBM/ldap/V6.1/appsrv on

AIX, Solaris, and HP-UX systems and /opt/ibm/ldap/V6.1/appsrv on Linuxsystems, by convention.)

3. Install the Web Administration Tool, using either the InstallShield GUI or anoperating system utility for your operating system. After installing the WebAdministration Tool, copy the Web Administration Tool to the EmbeddedWebSphere Application Server directory by using the following commands:


md EWAS_installpath\installableApps\copy installpath\idstools\IDSWebApp.war EWAS_installpath\installableApps\





mkdir EWAS_installpath/installableApps/cp installpath/idstools/IDSWebApp.war EWAS_installpath/installableApps/

where

v EWAS_installpath is the directory where you are installing EmbeddedWebSphere Application Server. By convention, this directory is the appsrvsubdirectory of the directory where IBM Tivoli Directory Server is installed,

but you can use any directory.v installpath is the directory where IBM Tivoli Directory Server is installed.

Deploying the Web Administration Tool into EmbeddedWebSphere Application Server

The deploy_IDSWebApp command deploys the IDSWebApp.war file toEmbedded WebSphere Application Server or WebSphere Application Server,retaining the configuration settings of the currently deployed IDSWebApp.war fileif there are any.

First be sure that the deploy_IDSWebApp.bat file is present in the/installpath/idstools folder. (installpath is the directory where IBM Tivoli Directory

Server is installed.)

Deploy the Web Administration Tool into Embedded WebSphere ApplicationServer by using the following command:


deploy_IDSWebApp.bat


deploy_IDSWebApp

Note: If you install the Web Administration Tool and Embedded WebSphereApplication Server through the InstallShield GUI, this command is runautomatically.

Optionally, you can also use the following flags:

v -a Application Name where Application Name is the name of the application todeploy. If not specified, defaults to IDSWebApp.war.

v -w path to IDSWebApp.war file where path to IDSWebApp.war file is the fullyqualified path of the IDSWebApp.war file to deploy

v -p location of app server where location of app server is the location of WebSphereApplication Server where the application is to be deployed.

v -r profile where profile is the profile name associated with the application. If notspecified, the default is ’TDSWebAdminProfile’.

v -h displays usage for the command.

v

-v displays the version and date strings for the deploy_IDSWebApp script andthe application war file.

Note: The -w , -p, and -r flags must be used if you are deploying into anon-embedded version of WebSphere Application Server. They can be usedoptionally with an embedded version of WebSphere Application Server. Youcan also use the




Uninstalling the Web Administration Tool from Embedded WebSphere

Application Server

To uninstall the Web Administration Tool from Embedded WebSphere ApplicationServer manually:

1. Be sure that the Web application server is started. See “Starting the Web

application server to use the Web Administration Tool” on page 138 forinstructions.

2. Type the following at a command prompt to uninstall the Web AdministrationTool:


deploy_IDSWebApp.bat -u


deploy_IDSWebApp -u

where -u specifies to uninstall a previously existing application. Optionally, youcan also use the following flags:

v -a Application Name where Application Name is the name of the application to

undeploy. If not specified, the default application IDSWebApp.war isundeployed.

v -w path to IDSWebApp.war file where path to IDSWebApp.war file is the fullyqualified path of the IDSWebApp.war file to deploy

v -p location of app server where location of app server is the location of WebSphereApplication Server where the application is to be deployed.

v -r profile where profile is the profile name associated with the application. If notspecified, the default is ’TDSWebAdminProfile’.

Note: The -w , -p, and -r flags must be used if you are undeploying from anon-embedded version of WebSphere Application Server. They can be usedoptionally with an embedded version of WebSphere Application Server.

Default ports for Embedded WebSphere Application Server for the Web

Administration Tool

Embedded WebSphere Application Server uses four default port settings:

v HTTP Transport (port 1): 12100


v Bootstrap/rmi port: 12102

v Soap connector port: 12103

v Admin Console (for administering WebSphere Application Server) port: 12104

v Secure Admin Console (for administering WebSphere Application Server) port:

12105

Other ports that might be used are: 9405, 9406, 9407, 9105, 9375, 7276, 7286, 5558,5577, 5075, 5076

If a conflict exists with another application using one or more of these defaultports, you can use a text editor to change from the default ports to unused ports.

In the install_dir\appsrv\profiles\TDSWebAdminProfile\properties\portdef.propsfile, (install_dir is the directory where IBM Tivoli Directory Server is installed),make the following changes as needed:

Appendix H. Installing, configuring, and uninstalling Embedded WebSphere Application Server 173



HTTP Transport port 1Find the line containing the port number 12100 and replace the 12100 withthe port number that you want.


Bootstrap/rmi portFind the line containing the port number 12102 and replace the 12102 withthe port number that you want.

Soap connector portFind the line containing the port number 12103 and replace the 12103 withthe port number that you want.

Admin Console portFind the line containing the port number 12104 and replace the 12104 withthe port number that you want.

Admin Secure Console portFind the line containing the port number 12105 and replace the 12105 with

the port number that you want.

Using HTTPS for Embedded WebSphere Application Server Version

6.1.0.7

Embedded WebSphere Application Server 6.1.0.7, by default, has HTTPS set up onport 12101. To use HTTPS, you must change your login Web address to thefollowing:

https://<hostname>:12101/IDSWebApp/IDSjsp/Login.jsp

For non-HTTPS connections, continue to use the following Web address:

http://<hostname>:12100/IDSWebApp/IDSjsp/Login.jsp

Additionally, if you want to change the Web application server’s SSL certificate,you can create new key and trust store database files for Embedded WebSphereApplication Server to use. By default, the key and trust store database files areseparate and are located in the <WASHOME>/etc directory. These files are namedDummyServerKeyFile.jks and DummyServerTrustFile.jks respectively.

After you have created your new jks files, you can change the key and trust storedatabase files that WAS uses by modifying the following items (highlighted inbold) in the <WASHOME>/config/cells/DefaultNode/security.xml file to use yournew file names, passwords, and file formats:

<repertoire xmi:id="SSLConfig_1" alias="DefaultNode/DefaultSSLSettings"><setting xmi:id="DefaultSSLSettings"<setting xmi:id="SecureSocketLayer_1"

keyFileName="${USER_INSTALL_ROOT}/etc/DummyServerKeyFile.jks"keyFilePassword="WebAS" keyFileFormat="JKS"trustFileName="${USER_INSTALL_ROOT}/etc/DummyServerTrustFile.jks"trustFilePassword="WebAS" trustFileFormat="JKS"clientAuthentication="false" securityLevel="HIGH"enableCryptoHardwareSupport="false"><cryptoHardware xmi:id="CryptoHardwareToken_1" tokenType=""

libraryFile="" password=""/><properties xmi:id="Property_4" name="com.ibm.ssl.protocol" value="SSLv3"/>




<properties xmi:id="Property_5" name="com.ibm.ssl.contextProvider"value="IBMJSSE"/>

</setting></repertoire>

Appendix H. Installing, configuring, and uninstalling Embedded WebSphere Application Server 175



Appendix I. Installing the Web Administration Tool intoWebSphere

IBM Tivoli Directory Server 6.1 provides Embedded WebSphere Application Server6.1.0.7 as an application server for the Web Administration Tool. However, you canalso use WebSphere as a Web application server for the Web Administration Tool.(For supported versions, see IBM Tivoli Directory Server Version 6.1 SystemRequirements.) If you use WebSphere, you must install the Web Administration Toolinto WebSphere. Use the following instructions as a guide:

1. Install WebSphere, using the installation information provided with it.

2. Install the Web Administration Tool using either the InstallShield GUI or theinstallation utility for your operating system. The file containing the WebAdministration Tool is named IDSWebApp.war, and it is in the idstoolssubdirectory of the installation directory you specified during installation.

3. Install the Web Administration Tool application into WebSphere, using the

information provided with WebSphere. For example, if you use theAdministrative Console, on the Install New Application window, set the Localpath to installdirectory/idstools/IDSWebApp.war, and the Context root to/IDSWebApp.

installdirectory is the directory you specified when installing the WebAdministration Tool.

4. Start the Web Administration Tool (for example, through the AdministrativeConsole).

5. From a Web browser, type the following address:

v For HTTP, type http://localhost:<WAS_http_port>/IDSWebApp/IDSjsp/Login.jsp

v For HTTPS, type http://localhost:<WAS_https_port>/IDSWebApp/IDSjsp/

Login.jspBy default, the HTTP port is 9080 and the HTTPS port is 9443.

The IBM Tivoli Directory Server Web Administration login page window isdisplayed.

Note: This address works only if you are running the browser on the computeron which the Web Administration Tool is installed. If the WebAdministration Tool is installed on a different computer, replacelocalhost with the hostname or IP address of the computer where theWeb Administration Tool is installed.

When deploying the Web Administration Tool into Websphere ApplicationServer, if Global or Administrative security is turned on for Websphere

Application Server and SSL must be enabled for the Web Administration Tool,you can use one of the following approaches:

v Deploy the Web Administration Tool into a new profile.

v If it is not possible to deploy the Web Administration Tool into a new profile,you must add the directory server’s certificate to the profile’s trust store.Additionally, for server-client authentication, you must add the WebsphereApplication Server profile certificate to the directory server’s trust store.




Appendix J. Default ports for Embedded WebSphereApplication Server for IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator Administration and Monitoring Console uses fourdefault port settings:



v Bootstrap/rmi port: 12112

v Soap connector port: 12113

v Admin Console (for administering WebSphere Application Server) port: 12114

v Secure Admin Console (for administering WebSphere Application Server) port:12115

Other ports that might be used are: 9408, 9409, 9410, 9106, 9376, 7277, 7287, 5559,5578, 5077, 5078

If a conflict exists with another application using one or more of these defaultports, you can use a text editor to change from the default ports to unused ports.

In the install_dir\appsrv\profiles\TDSTDIAMCProfile\properties\portdef.propsfile, (install_dir is the directory where IBM Tivoli Directory Server is installed),make the following changes as needed:


HTTP Transport port 2Find the line containing the port number 12111 and replace the 12111 with

the port number that you want.

Bootstrap/rmi portFind the line containing the port number 12112 and replace the 12112 withthe port number that you want.

Soap connector portFind the line containing the port number 12113 and replace the 12113 withthe port number that you want.

Admin Console portFind the line containing the port number 12114 and replace the 12114 withthe port number that you want.

Admin Secure Console port

Find the line containing the port number 12115 and replace the 12115 withthe port number that you want.




Appendix K. ASCII characters from 33 to 126

The following table shows ASCII characters from 33 to 126. These are thecharacters that can be used in the encryption seed string.

ASCII code Character ASCII code Character ASCII code Character

33 ! exclamation point 34 " double quotation 35 # number sign

36 $ dollar sign 37 % percent sign 38 & ampersand

39 ' apostrophe 40 ( left parenthesis 41 ) right parenthesis

42 * asterisk 43 + plus sign 44 , comma

45 - hyphen 46 . period 47 / slash

48 0 49 1 50 2

51 3 52 4 53 5

54 6 55 7 56 8

57 9 58 : colon 59 ; semicolon

60 < less-than sign 61 = equals sign 62 > greater-than sign

63 ? question mark 64 @ at sign 65 A uppercase a

66 B uppercase b 67 C uppercase c 68 D uppercase d

69 E uppercase e 70 F uppercase f 71 G uppercase g

72 H uppercase h 73 I uppercase i 74 J uppercase j

75 K uppercase k 76 L uppercase l 77 M uppercase m

78 N uppercase n 79 O uppercase o 80 P uppercase p

81 Q uppercase q 82 R uppercase r 83 S uppercase s

84 T uppercase t 85 U uppercase u 86 V uppercase v

87 W uppercase w 88 X uppercase x 89 Y uppercase y

90 Z uppercase z 91 [ left square bracket 92 \ backslash

93 ] right square bracket 94 ^ caret 95 _ underscore

96 ` grave accent 97 a lowercase a 98 b lowercase b

99 c lowercase c 100 d lowercase d 101 e lowercase e

102 f lowercase f 103 g lowercase g 104 h lowercase h

105 i lowercase i 106 j lowercase j 107 k lowercase k

108 l lowercase l 109 m lowercase m 110 n lowercase n

111 o lowercase o 112 p lowercase p 113 q lowercase q

114 r lowercase r 115 s lowercase s 116 t lowercase t

117 u lowercase u 118 v lowercase v 119 w lowercase w

120 x lowercase x 121 y lowercase y 122 z lowercase z

123 { left curly brace 124 | vertical bar 125 } right curly brace

126 ~ tilde




Appendix L. Information for bundlers

If you produce a product that bundles IBM Tivoli Directory Server, use theinformation in this appendix:

How to install silently

To install IBM Tivoli Directory Server and its corequisite products such as DB2silently:

On Windows systems:Use the silent installation provided with IBM Tivoli Directory Server. SeeChapter 11, “Installing and uninstalling silently on Windows systems,” onpage 81 for instructions.

On AIX, Linux, Solaris, and HP-UX systems:

Note: Silent installation using the IBM Tivoli Directory Server InstallShieldGUI installation is not supported on AIX, Linux, Solaris, and HP-UXsystems.

v If you want to use InstallShield for Multi-platforms to build yourinstallation program, you can use the native install beans provided byInstallShield for Multi-platforms to bundle and launch native installationof the IBM Tivoli Directory Server native packages for the appropriateoperating system.

v To use native operating system commands to install the nativeinstallation packages, you can launch a script during your installationthat runs the native commands.

For information about the native installation packages for each operating

system, see one of the following:v Chapter 7, “Installing IBM Tivoli Directory Server using AIX utilities,”

on page 49

v Chapter 8, “Installing IBM Tivoli Directory Server using Linux utilities,”on page 61

v Chapter 9, “Installing IBM Tivoli Directory Server using Solaris utilities,”on page 67

v Chapter 10, “Installing IBM Tivoli Directory Server using HP-UXutilities,” on page 75

Environment variable for silent installation with native packages

To install IBM Tivoli Directory Server using the native installation packages, youmust set the environment variable IBMLDAP_INSTALL_SILENT to yes. If you donot set this environment variable, the installation might hang when an echo orprompt statement in the native package is reached.

Note: This does not apply to Solaris or HP-UX systems.




Starting the instance administration tool in migration mode

If you are migrating a directory server from a release before 6.0 to an IBM TivoliDirectory Server 6.1 directory server instance, you can start the InstanceAdministration Tool in migration mode. The command for starting the InstanceAdministration Tool in this way is:

idsxinst -migrate path

where path is the path where the backed-up configuration and schema files arestored.

The first window displayed in the Instance Administration Tool when you start itin this way is the Create new directory server instance window, with fieldscompleted from the backed-up files.

Additional information about GSKit

GSKit has shipped the following jar files for your convenience:

v lib/ext/ibmjceprovider.jar

v lib/ext/ibmpkcs.jarv lib/ibmjcefw.jar

v lib/security/local_policy.jar

v lib/security/US_export_policy.jar

v lib/ibmpkcs11.jar

It is up to each individual product to decide whether to provide these JSSE jar filesin the product. The following are GSKit’s recommendations:

v A product should ship whatever JSSE jar files it used for system testing with theproduct.

v If your existing Java 1.5 installation’s JSSE jar files are later than those required

by GSKit, no action is required.v If your existing Java 1.5 installation’s JSSE jar files are older than those required

by GSKit, you should replace your old JSSE jar files with GSKit’s. GSKitIKeyman will work with the old JSSE jar files. However, the support for IPv6may not work and some IKeyman functions may fail due to known bug fixesthat are not included in your JDK installation.




Appendix M. Installing and configuring DSML

Directory Services Markup Language (DSML) is installed as a .zip file namedDSML.zip in the installpath/idstools (or installpath\idstools for Windows systems)

directory when you install the Web Administration Tool. After you unzip theDSML.zip file, documentation files are available that tell you how to install,configure, and use DSML. These files are:

DSMLReadme.txtDescribes the files in the package and tells you how to install andconfigure DSML.

dsml.pdfDescribes how to use DSML. This file is in PDF format.

dsml.htmDescribes how to use DSML, in HTML format.




Appendix N. Loading the sample LDIF file into the database

Use the following procedure to load the sample database.

1. Start the Configuration Tool if it is not already started. See “Starting and usingthe IBM Tivoli Directory Server Configuration Tool (idsxcfg)” on page 111 forinstructions.

2. If you created a directory server instance that is not the default directory serverinstance, create the o=sample suffix by using the following steps. (If youcreated the default directory server instance, this suffix is already created.)

a. In the Configuration Tool, click Manage suffixes in the task list on the left.

b. In the Manage suffixes window, in the SuffixDN field, type o=sample. Thisis the suffix DN that will hold the sample data. Because the sample data ispart of the suffix o=sample, this is the suffix DN you must add.

c. Click Add.

d. Click OK.

Note: When you click Add, the suffix is added to the list in the Currentsuffix DNs box; however, the suffix is not actually added until youclick OK.

3. In the Configuration Tool, click Import LDIF data in the task list on the left.

4. In the Import LDIF data window on the right, in the Path and LDIF file namefield, type one of the following:

v install_dir\examples\sample.ldif on Windows systems. install_dir is thedirectory where you installed IBM Tivoli Directory Server. By default onWindows systems, this directory is C:\Program Files\IBM\LDAP\V6.1.

v /opt/IBM/ldap/V6.1/examples/sample.ldif on AIX, Solaris, and HP-UXsystems.

v /opt/ibm/ldap/V6.1/examples/sample.ldif on Linux systems.

Alternatively, you can click Browse to locate the file.

5. Click Standard import.

6. Click Import. (Scroll down to see the Import button if it is not visible.)

7. Click OK.

Note: As an alternative, you can use:

v The idscfgsuf command to add the suffix:

idscfgsuf -s "o=sample"

v The idsldif2db utility to import the data. For example,

idsldif2db -i install_dir\examples\sample.ldif -I myinstance

where myinstance is the name of the directory server instance.

8. After processing is complete, click Close.

9. To start the directory server instance:

a. Go to the sbin subdirectory of the directory where you installed IBM TivoliDirectory Server.

b. If you have only one directory server instance, type idsslapd at a commandprompt. If you have more than one directory server instance, type

idsslapd -I instancename




where instancename is the name of the instance you want to start.

Messages are displayed while the server is starting. The following message isdisplayed if the server starts successfully:

IBM Tivoli Directory, Version 6.1 Server started.

You have verified that the sample database is loaded correctly and that theinstallation is successful.

Use the instructions in “Starting the Web Administration Tool” on page 138 to startthe Web Administration Tool if you installed it. See the IBM Tivoli Directory ServerVersion 6.1 Administration Guide for information about using the WebAdministration Tool and using the server.




Appendix O. UTF-8 support

IBM Tivoli Directory Server supports a wide variety of national languagecharacters through the UTF-8 (UCS Transformation Format) character set. As

specified for the LDAP Version 3 protocol, all character data that is passed betweenan LDAP client and a server is in UTF-8. Consequently, the directory server can beconfigured to store any national language characters that can be represented inUTF-8. The limitations on what types of characters can be stored and searched forare determined by how the database is created. The database character set can bespecified as UTF-8 or it can be set to use the server system’s local character set(based on the locale, language, and code page environment).

If you specify UTF-8, you can store any UTF-8 character data in the directory.LDAP clients running anywhere in the world (in any UTF-8 supported language)can access and search the directory. In many cases, however, the client has limitedability to properly display the results retrieved from the directory in a particularlanguage/character set. There is also a performance advantage to using a UTF-8database because no data conversion is required when storing data to or retrievingdata from the database.

Note: If you want to use language tags, the database must be a UTF-8 database.

Why choose anything other than UTF-8?

A UTF-8 database has a fixed collation sequence. That sequence is the binary orderof the UTF-8 characters. It is not possible to do language-sensitive collation with aUTF-8 database.

If it is important to your LDAP applications or users to get results for a search

using an ordering filter (for example,″

name >= SMITH″

) or any search specifyingthe control to sort the results as they would expect for their native language, thenUTF-8 might not be the appropriate character set for their directory database. Inthat instance, the LDAP server system and all client systems should run using thesame character set and locale. For example, an LDAP server running in a Spanishlocale with a database created using that locale returns results of searches based oncharacter ordering, as Spanish-language clients would expect. This configurationdoes limit your directory user community to a single end-user character set andcollation sequence.

Server utilities

Manual creation of an LDIF file containing UTF-8 values is difficult. To simplify

this process, a charset extension to the LDIF format is supported. This extensionallows an Internet Assigned Numbers Authority (IANA) character set name to bespecified in the header of the LDIF file (along with the version number). A limitedset of the IANA character sets are supported.

ExamplesYou can use the optional charset tag so that the server utilities automaticallyconvert from the specified character set to UTF-8 as in the following example:




version: 1charset: ISO-8859-1

dn: cn=Juan Griego, o=University of New Mexico, c=UScn: Juan Griegosn: Griegodescription:: V2hhdCBhIGNhcmVmdWwgcmVhZGVyIHlvdtitle: Associate Dean

title: [title in Spanish]jpegPhoto:< file:///usr/local/photos/jgriego.jpg

In this instance, all values following an attribute name and a single colon aretranslated from the ISO-8859-1 character set to UTF-8. Values following an attributename and a double colon (such as description:: V2hhdCBhIGNhcm... ) should be

base 64-encoded, and are expected to be either binary or UTF-8 character strings.Values read from a file, such as the jpegPhoto attribute specified by the Webaddress in the example above, are also expected to be either binary or UTF-8. Notranslation from the specified ″charset″ to UTF-8 is done on those values.

In this example of an LDIF file without the charset tag, content is expected to be inUTF-8:

# IBM IBM Directorysample LDIF file## The suffix "o=IBM, c=US" should be defined before attempting to load# this data.

version: 1

dn: o=IBM, c=USobjectclass: topobjectclass: organizationo: IBM

dn: ou=Austin, o=IBM, c=USou: Austinobjectclass: organizationalUnit

seealso: cn=Mary Smith, ou=Austin, o=IBM, c=US

This same file could be used without the version: 1 header information, as inprevious releases of IBM Tivoli Directory Server:

# IBM IBM Directorysample LDIF file##The suffix "o=IBM, c=US" should be defined before attempting to load#this data.

dn: o=IBM, c=USobjectclass: topobjectclass: organizationo: IBM

dn: ou=Austin, o=IBM, c=USou: Austinobjectclass: organizationalUnitseealso: cn=Linda Carlesberg, ou=Austin, o=IBM, c=US

Supported IANA character sets

IBM Tivoli Directory Server supports the Internet Assigned Number Authority(IANA) character set names by platform, as shown in the following table. Theseare the character set names that can be specified in an LDIF file or using theC-client interface to identify the character set of input data to be used with thedirectory.




Go to http://www.iana.org/assignments/character-sets for more informationabout IANA-registered character sets.

Table 20. IANA-defined character sets

Character Locale DB2 Code Page

Set Name HP-UXLinux,Linux_390, Windows AIX Solaris UNIX Windows

ISO-8859-1 X X X X X 819 1252

ISO-8859-2 X X X X X 912 1250

ISO-8859-5 X X X X X 915 1251

ISO-8859-6 X X X X X 1089 1256

ISO-8859-7 X X X X X 813 1253

ISO-8859-8 X X X X X 916 1255

ISO-8859-9 X X X X X 920 1254

ISO-8859–15 X n/a X X X

IBM437 n/a n/a X n/a n/a 437 437

IBM850 n/a n/a X X n/a 850 850IBM852 n/a n/a X n/a n/a 852 852

IBM857 n/a n/a X n/a n/a 857 857

IBM862 n/a n/a X n/a n/a 862 862

IBM864 n/a n/a X n/a n/a 864 864

IBM866 n/a n/a X n/a n/a 866 866

IBM869 n/a n/a X n/a n/a 869 869

IBM1250 n/a n/a X n/a n/a






TIS-620 n/a n/a X X n/a 874 874

EUC-JP X X n/a X X 954 n/a

EUC-KR n/a n/a n/a X X 970 n/a

EUC-CN n/a n/a n/a X X 1383 n/a

EUC-TW X n/a n/a X X 964 n/a

Shift-JIS n/a X X X X 932 943

KSC n/a n/a X n/a n/a n/a 949GBK n/a n/a X X n/a 1386 1386

Big5 X n/a X X X 950 950

GB18030 n/a X X X X

HP15CN X (withnon-

GB18030)

Appendix O. UTF-8 support 191

http://www.iana.org/assignments/character-sets

http://www.iana.org/assignments/character-sets



Notes:

1. The Chinese character set standard (GB18030) is supported with appropriatepatches available from www.sun.com and www.microsoft.com

2. On Windows operating systems, you must set the environment variablezhCNGB18030=TRUE.




Appendix P. Installing and uninstalling GSKit manually onWindows operating systems

If you install IBM Tivoli Directory Server using silent installation, GSKit is notinstalled. You can use the following procedure to install it.

To install GSKit 7.0.3.30:

1. Change directories to the \gskit directory on the IBM Tivoli Directory ServerCD or the itdsV61\gskit subdirectory of the directory where you unzipped theIBM Tivoli Directory Server .zip file.

2. Run one of the following commands. (Do not start setup.exe by clicking on theicon.)

v On 32-bit Windows systems:

setup LDAP -s -f1"setup_file_location\setup.iss"

where LDAP is the name of your application and will be registered as aregistered user of GSK in the Windows Registry (under the keyHKEY_LOCAL_MACHINE\SOFTWARE\IBM\GSK\ CurrentVersion\REGAPPS).

The following options can be used:

– -s to run the setup in the silent mode.

– -f1setup_file_location\setup.iss specifies the response file needed to run thesetup in the silent mode. Note that there is no space between -f1 and the

beginning of the setup file location.

For example, if you unzipped the IBM Tivoli Directory Server .zip file intothe d:\DirectoryServerV6.1 directory, type:

cd d:\DirectoryServerV61\itdsV61\gskit

setup LDAP -s -f1"d:\DirectoryServerV61\itdsV61\gskit\setup.iss"v On AMD64/Opteron/EM64T Windows systems:

GSK7BAS_64.msi

See Appendix Q, “Setting up GSKit to support CMS key databases,” on page 195for more information about setting up GSKit after installation.

Removing GSKit

To remove GSKit, run one of the following commands:

v On Intel 32-bit Windows systems:

%SYSTEMROOT%\gsk7bui.exe -f <GSKit_INSTALL_HOME >\gsk7BUI.isu

v On AMD64/Opteron/EM64T Windows systems, use Add or Remove Programsin the Control Panel, or use the following command:

MsiExec.exe -uninstall {9512AA72-3544-4016-A7CB-DEF07972441C}




Appendix Q. Setting up GSKit to support CMS key databases

To set up GSKit to support Certificate Management Services (CMS) key databases,complete the following procedure before starting the iKeyman GUI:

1. Be sure that you have installed GSKit 7.0.3.30.

2. Set JAVA_HOME to point to the java subdirectory of the IBM Tivoli DirectoryServer installation directory.

3. JDK 1.5 requires the user to have jurisdiction policy files. Due to the importrestrictions for some countries, the jurisdiction policy files distributed with

J2SDK version 1.5 have built-in restrictions on the available cryptographicstrength.

The JDK 1.5 requires jurisdiction policy files that contain no restrictions oncryptographic strength. Note that the 1.5 IBM JRE uses the 1.4 policy files.Download the Unrestricted JCE Policy files for 1.4.2 from:

https://www14.software.ibm.com/webapp/iwm/web/

preLogin.do?source=jcesdkThe download includes the local_policy.jar and US_export_policy.jar files.

4. Remove the gskikm.jar file from $JAVA_HOME/jre/lib/ext.

5. Copy the local_policy.jar file to $JAVA_HOME/jre/lib/security.

6. Copy the US_export_policy.jar file to $JAVA_HOME/jre/lib/security.

7. Depending on your setup, do one of the following:

Configure Java Runtime Environment 1.5 (platforms other than Solaris andHP-UX)

Using a text editor, open $JAVA_HOME/jre/lib/security/java.securityand add the IBM CMS security provider. For example:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2

security.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.provider.IBMJCEsecurity.provider.4=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.5=com.ibm.security.cert.IBMCertPathsecurity.provider.6=com.ibm.security.sasl.IBMSASL

Configure Java Runtime Environment 1.5 with FIPS support (platforms otherthan Solaris and HP-UX)

Using a text editor, open $JAVA_HOME/jre/lib/security/java.securityand add the IBM CMS security provider and the IBM JCE FIPS securityprovider. For example:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2security.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPSsecurity.provider.4=com.ibm.crypto.provider.IBMJCEsecurity.provider.5=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.6=com.ibm.security.cert.IBMCertPathsecurity.provider.7=com.ibm.security.sasl.IBMSASL

Configure Java Runtime Environment 1.5 with PKCS#11 crypto hardwaresupport (platforms other than Solaris and HP-UX)

a. Obtain the pkcs#11 native support libraries from your crypto cardvendor.

b. Using a text editor, open $JAVA_HOME/jre/lib/security/ java.security and add the IBM CMS security provider. For example:




security.provider.1=com.ibm.jsse2.IBMJSSEProvider2security.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.provider.IBMJCEsecurity.provider.4=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.5=com.ibm.security.cert.IBMCertPathsecurity.provider.6=com.ibm.security.sasl.IBMSASL

Configure Java Runtime Environment 1.5 with FIPS support and PKCS#11

crypto hardware support (platforms other than Solaris and HP-UX)a. Obtain the pkcs#11 native support libraries from your crypto card

vendor.

b. Using a text editor, open $JAVA_HOME/jre/lib/security/ java.security and add the IBM CMS security provider and the IBM JCE FIPS security provider. For example:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2security.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPSsecurity.provider.4=com.ibm.crypto.provider.IBMJCEsecurity.provider.5=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.6=com.ibm.security.cert.IBMCertPathsecurity.provider.7=com.ibm.security.sasl.IBMSASL

Configure Java Runtime Environment 1.5 (Solaris and HP-UX platforms)Using a text editor, open $JAVA_HOME/jre/lib/security/java.securityand add the IBM CMS security provider. For example:

security.provider.1=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.2=sun.security.provider.Sunsecurity.provider.3=com.ibm.spi.IBMCMSProvidersecurity.provider.4=com.ibm.crypto.provider.IBMJCEsecurity.provider.5=com.ibm.jsse2.IBMJSSEProvider2security.provider.6=com.ibm.security.cert.IBMCertPathsecurity.provider.7=com.ibm.security.sasl.IBMSASL

Read the file located at $JAVA_HOME/README_FIRST.

Configure Java Runtime Environment 1.5 with FIPS support (IBM JRE for

Solaris and HP-UX platforms)Using a text editor, open $JAVA_HOME/jre/lib/security/java.securityand add the IBM CMS security provider and the IBM JCE FIPS securityprovider. For example:

security.provider.1=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.2=sun.security.provider.Sunsecurity.provider.3=com.ibm.spi.IBMCMSProvidersecurity.provider.4=com.ibm.crypto.fips.provider.IBMJCEFIPSsecurity.provider.5=com.ibm.crypto.provider.IBMJCEsecurity.provider.6=com.ibm.jsse2.IBMJSSEProvider2security.provider.7=com.ibm.security.cert.IBMCertPathsecurity.provider.8=com.ibm.security.sasl.IBMSASL

Read the file located at $JAVA_HOME/README_FIRST.

Configure Java Runtime Environment 1.5 with PKCS#11 crypto hardwaresupport (IBM JRE for Solaris and HP-UX platforms)


b. Using a text editor, open $JAVA_HOME/jre/lib/security/ java.security and add the IBM CMS security provider. For example:

security.provider.1=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.2=sun.security.provider.Sunsecurity.provider.3=com.ibm.spi.IBMCMSProvidersecurity.provider.4=com.ibm.crypto.provider.IBMJCE




security.provider.5=com.ibm.jsse2.IBMJSSEProvider2security.provider.6=com.ibm.security.cert.IBMCertPathsecurity.provider.7=com.ibm.security.sasl.IBMSASL

c. Read the file located at $JAVA_HOME/README_FIRST.

Configure Java Runtime Environment 1.5 with FIPS support and PKCS#11crypto hardware support (IBM JRE for Solaris and HP-UX platforms)


b. Using a text editor, open $JAVA_HOME/jre/lib/security/ java.security and add the IBM CMS security provider and the IBM JCE FIPS security provider. For example:

security.provider.1=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.2=sun.security.provider.Sunsecurity.provider.3=com.ibm.spi.IBMCMSProvidersecurity.provider.4=com.ibm.crypto.fips.provider.IBMJCEFIPSsecurity.provider.5=com.ibm.crypto.provider.IBMJCEsecurity.provider.6=com.ibm.jsse2.IBMJSSEProvider2security.provider.7=com.ibm.security.cert.IBMCertPathsecurity.provider.8=com.ibm.security.sasl.IBMSASL

c. Read the file located at $JAVA_HOME/README_FIRST.

Appendix Q. Setting up GSKit to support CMS key databases 197



Appendix R. Accessibility features for IBM Tivoli DirectoryServer

Accessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in IBM Tivoli DirectoryServer. You can use screen-reader software to hear what is displayed on the screen.

v Supports keyboard-only operation

v Supports interfaces commonly used by screen readers

v Keys are tactilely discernible and do not activate just by touching them

v Ports and connectors support the connection of industry-standard devices

v Supports the attachment of alternative input and output devices

Note: The IBM Tivoli Directory Server Information Center, and its relatedpublications, are accessibility-enabled for the IBM Home Page Reader. Youcan operate all features using the keyboard instead of the mouse.

Keyboard navigation

This product uses standard Microsoft® Windows navigation keys.

Related accessibility information

Visit the IBM Accessibility Center at http://www.ibm.com/able for more

information about IBM’s commitment to accessibility.


http://www.ibm.com/able

http://www.ibm.com/able



Appendix S. Notices

This information was developed for products and services offered in the U.S.A.IBM might not offer the products, services, or features discussed in this document

in other countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter inthis document. The furnishing of this document does not give you any license tothese patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation Licensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the information. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thisinformation at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.




Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationDepartment MU5A4611301 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

Trademarks

The following terms are trademarks of International Business Machines

Corporation in the United States, or other countries, or both:

AIXDB2i5/OSIBMiSeriesOMEGAMONPassport AdvantagepSeriesRS/6000




SecureWaySPTivoliWebSpherexSeriesz/OSzSeries

Adobe, the Adobe logo, PostScript®, and the PostScript logo are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,and/or other countries.

Intel, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino®, Intel Centrino logo,Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in theUnited States, other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.

Appendix S. Notices 203



Index

Aaccessibility ix, 199

keyboard 199shortcut keys 199

Active Directory synchronizationConfiguration Tool 130

administrator DNchanging 113setting

idsdnpw command 113Instance Administration Tool 99

administrator DN, settingConfiguration Tool 113

administrator passwordsetting

Instance Administration Tool 100administrator password, setting

command line 114Configuration Tool 114

AIXcommand line 56disk space requirements 155installp installation 56SMIT installation 53

ASCII characters33 to 126 181allowable in encryption seed

string 181

B backing up database

Configuration Tool 128idsdbback command 128

bookssee publications vii, viii

bundlers, information for 183

Cchange log

disablingidsucfgchglg 120

enablingidscfgchglg 119

change log, disablingConfiguration Tool 120

change log, enablingConfiguration Tool 119

changing database owner passwordcommand line 117Configuration Tool 117

character setIANA 190

clientoverview 4removing 141

code page, DB2 190commands

idscfgchglg 119

commands (continued)idscfgdb 116idscfgsch 124idscfgsuf 122idsdnpw 113idsidrop 110idsilist 109idssethost 109idssetport 109idsucfgchglg 120idsucfgdb 118idsucfgsch 124idsucfgsuf 123

configurationafter installation 111Embedded WebSphere Application

Server 171idsxcfg 111

overview 8, 111planning

database 159Configuration Tool 111configuring database

Configuration Tool 115conventions

typeface xcryptography, two-way,

synchronizing 165

Ddatabase

configuration planning 159access permissions 159code page 159security requirements 159structure 159type of data 159

configuringidscfgdb command 116Instance Administration Tool 99

unconfiguringConfiguration Tool 118idsucfgdb 118

database instance ownercreating 161requirements 161

database name 115

database ownercreating 161requirements 161

database owner password, changingcommand line 117Configuration Tool 117

database, backing upConfiguration Tool 128idsdbback command 128

database, configuringConfiguration Tool 115

database, optimizingConfiguration Tool 130

database, optimizngidsrunstats command 130

database, restoringConfiguration Tool 129idsdbrestore command 129

DB2code page 190overview 6

DB2 versions providedoverview 6

directory names, notation xdirectory server instance

adding a schema file 124changing TCP/IP settings for 108configuring a database 116content on AIX, Linux, Solaris,

HP-UX 168content on Windows 167

contents of 167creating with Instance Administration

Tool 94deleting 110disabling changelog 120enabling changelog 119files 167listing 109overview 7removing 110removing a schema file 124starting 137unconfiguring database 118viewing information about 109

directory server instance owner

creating 161requirements 161

Directory Services Markup Languageconfiguring 185documentation 185installing 185

directory structureiso, zip, tar files 147

disability 199disk space requirements

AIX 155HP-UX 157Linux 156Solaris 156Windows 155

DSMLconfiguring 185documentation 185installing 185

Eeducation

see Tivoli technical training ixEmbedded WebSphere Application Server

configuration 171default ports 173installing manually 171




Embedded WebSphere ApplicationServer (continued)

overview 5ports, default 173starting 138uninstalling 171upgrading 15upgrading using idswmigr 15

using HTTPS 174encryption saltspecifying 97

encryption seedspecifying 97, 127

encryption seed stringASCII characters allowed in 181

environment variables, notation xexporting LDIF data

Configuration Tool 127

Ffilter entry DN

specifying 128

full serveroverview 5

GGSKit

installingAIX 59HP-UX 78Linux 65Solaris 72

installing on Linux 65installing silently

Windows 193overview 6

removingAIX 60HP-UX 79Linux 66Solaris 73

removing silentlyWindows 193

setting up for CMS keydatabases 195

version provided 6

HHP-UX

before installing 75

disk space requirements 157mounting CD 21unmounting CD 22

IIANA 190IBM Tivoli Directory Integrator

for idssupport tool 32, 39, 44, 56, 58,64, 71, 78

for log management tool 32, 39, 44,56, 58, 64, 71, 78

IBM Tivoli Directory Integrator(continued)

for SNMP 32, 39, 44, 56, 58, 64, 71,78

idscfgchglg 119idscfgdb 116idscfgsch 124idscfgsuf 122

idsdbback command 128idsdbrestore command 129idsdnpw 113idsidrop 110idsilist 109idsldap group 22idsldap user

requirements 22idsrunstats command 130idssethost 109idssetport 109idsslapd command 137idssupport tool

requirement for IBM Tivoli DirectoryIntegrator 32, 39, 44, 56, 58, 64, 71,78

idsucfgchglg 120idsucfgdb 118idsucfgsch 124idsucfgsuf 123idswmigr utility

syntax 15using 15

idsxcfg 111importing LDIF data

Configuration Tool 126installation

AIX utilities 49checklist 1Embedded WebSphere Application

Server 171

HP-UX 77installp 56InstallShield GUI 25

AIX, Linux, or Solaris 34 before installing 25language packs 17Windows 30, 37, 41

language packsInstallShield GUI 17

Linux 61manual

AIX 49HP-UX 75Linux 61Solaris 67

Windows 81overview 4pkgadd 69quick path 1silent 81SMIT 53Solaris 67Solaris command line 69Web Administration Tool into

WebSphere 177installation packages

AIX 50HP-UX 75

installation packages (continued)Linux 61Solaris 67

installation pathAIX, Linux, Solaris, HP-UX 24, 34default, Windows 28, 31, 43

InstallShield GUI before installing 25

installing language packs 17overview 25Instance Administration Tool

description 93starting 93

instance, directory serverchanging TCP/IP settings for 108creating 94creating with Instance Administration

Tool 94deleting 110listing 109overview 7removing 110viewing information about 109

iso files, IBM Tivoli Directory Server 3

J Java client

overview 4

Kkernel configuration parameters

Solaris 139

Llanguage packs

installing silently 84installing with InstallShield GUI 17uninstalling with InstallShield

GUI 142languages supported 18LDIF data, exporting

Configuration Tool 127LDIF data, importing

Configuration Tool 126LDIF data, validating 127Linux

disk space requirements 156loading sample database 187locale 190log management tool


Mmanuals

see publications vii, viiimigbkup utility

location 11using 11




migrationclient information 11overview 11Web Administration Tool 15

migration utilitieslocation 11

mounting CDHP-UX 21

Nnational language characters 189notation

environment variables xpath names xtypeface x

Oonline publications

accessing viiioptimizing database

Configuration Tool 130

optimizng databaseidsrunstats command 130

ordering publications ix

Ppackage dependencies, HP-UX 75package dependencies, Solaris 67packages, installation

AIX 50HP-UX 75Linux 61Solaris 67

password for database owner, changingcommand line 117Configuration Tool 117

path names, notation xperformance tuning

Configuration Tool 133pkgadd 69proxy server

overview 5publications vii

accessing online viiiordering ix

Rremoving

client 141IBM Tivoli Directory ServerAIX 143HP-UX 145InstallShield GUI 141Linux 144operating system utilities 143Solaris 145

language packsInstallShield GUI 142

server 141replication filter DN

specifying 128

restoring databaseConfiguration Tool 129idsdbrestore command 129

RS/6000 SP environment, installation onnode 50

Ssample database, loading 187schema file

addingConfiguration Tool 123idscfgsch 124

removingConfiguration Tool 124idsucfgsch 124

schema file, changing validationtype 125

securityGSKit 6SSL 6

serverinstallation checklist 1

overview 4removing 141starting 137

server utilitiesidsbulkload 189idscfgsuf 122idsdb2ldif 189idsldif2db 189idssethost 109idssetport 109idsucfgsuf 123

serverstypes administered by Web

Administration Tool 5setting system variables

AIX 59shortcut keys

keyboard 199silent installation

checking log file 85checking Windows registry 86client options file 87language packs options file 88overview 81return codes 85server options file 86using 82verifying 85

silent uninstallationlanguage packs options file 90overview 89

server options file 89using 89

SMIT installation 53SNMP


Solariscommand line 69disk space requirements 156

SSL 6starting Web Administration Tool 138stopping Web Administration Tool 139

suffixadding

idscfgsuf 122removing

idsucfgsuf 123suffix, adding

Configuration Tool 121suffix, removing 122

swinstall 77synchronization with Active DirectoryConfiguration Tool 130

synchronizing two-waycryptography 165

system variables, settingAIX 59

Ttar files, IBM Tivoli Directory Server 3Tivoli software information center viiiTivoli technical training ixtraining, Tivoli technical ixtuning performance

Configuration Tool 133typeface conventions x

Uunconfiguring

database 118uninstallation

silent 89uninstalling

client 141Embedded WebSphere Application

Server 173IBM Tivoli Directory Server

operating system utilities 143

language packs 142server 141

unmounting CDHP-UX 22

upgradeoverview 3

upgrade utilitiesidswmigr 15

UTF-8 189utilities

command lineidscfgchglg 119idscfgdb 116idscfgsch 124idscfgsuf 122

idsdnpw 113idsidrop 110idsilist 109idssethost 109idssetport 109idsucfgchglg 120idsucfgdb 118idsucfgsch 124idsucfgsuf 123idswmigr 15

utilities, serveridsbulkload 189idsdb2ldif 189

Index 207



utilities, server (continued)idsldif2db 189

Vvalidating LDIF data 127variables, notation for x

WWeb Administration Tool

installing into WebSphere 177overview 5starting 138stopping 139types of servers administered by 5upgrading using idswmigr 15

Web application serverinstalling manually 171starting 138

WebSphere, installing WebAdministration Tool into 177

Windows

disk space requirements 155

Zzip files, IBM Tivoli Directory Server 3




Printed in USA

IBM Tivoli Directory Server 6.1_Installation and Configuration Guide

Documents

Transcript of IBM Tivoli Directory Server 6.1_Installation and Configuration Guide